We are using ePO 4.5 and HIPS 220.127.116.112 with Patch 7. When we run a query to show, for example, the desktop with more triggered HIPS signatures and we use threat source column and threat target column in the result table to show the IPv4 address we get the same value in both columns, wich is IPv4 address of the system name. Is this normal? How could we get the threat source?
This is actually the expected behavior. HIPS modules by the time they process API and system calls at the OS level no longer have the target IP addresses available. The generic template it uses to populate information for security events does have section for source and destination IP addresses. It simply populates with the system's IP address.
Host IPS essentially provides shielding for potential vulnerabilities on your system and is not necessarily slanted towards or scaled for data forensics for attack sources. It intercepts API and system calls and source IPs aren't mostly not available they also typically don't have much context at that OS level.