How are you seeing the events ? What are you using to check the events ?  IDM, IME ?  Send a screenshot the exact event. In the event details, there would be a signature id.  That signature id will tell us what the signature is designed to match on. 

Sid Chandrachud

Cisco TAC - Security team

Hi,

Thanks for your response. When i lookup up further, Ciscp IPS vulnerability reference page :http://tools.cisco.com/security/center/viewIpsSignature.x?

Signature ID : signatureId=5605

Target Port =445.

Regards

Papdheen M

Mustafa,

Here are the signature details:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5605&signatureSubId=0&softwareVersion=6.0&releaseVersion=S262

This signature detects a Windows SMB user account  that has been locked on the Windows server due to multiple failed logon  attempts, via the "STATUS_ACCOUNT_LOCKED_OUT" message returned to the  client.

This signature severity is set by default to 'informational'

Hence all the signature is doing is leeting you know some users were locked out due to multiple logon attempts.

The event details will also reveal victim ip which might be the machine on which the logon attempts were tried.

Let me know if this addresses your concern.

- Sid

Dear Sid,

Thanks for your response. Actually attacker IP is a database server joined in domain and attacker username is showing as empty"

Server is running with latest AV signature.

Attacker IP - Database server(server itsefl)

Destination- Active Direcotry server

Destination Port - 445

More information will be helpful to isolate the problem.

Regards

Papdheen M