I've seen this when a host drops out of communication with the MC. Also, after a host has been deleted, the database will propagate with these type of alerts. Basically, the alerts cannot correlate to a specific host, so that field will be filled with 'unknown.'
*EDIT* You can see that HV-BRZ-APP02 in the user field of one of the unknowns. Then, 8 days later, it produces an alert with the correct host information. I'm running 18.104.22.168 and all those problems stopped for me. I don't know if you have the ability to update your hosts, but it might be advisable.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...