If the attempt was local, meaning user plugged in an infected USB drive or unknowingly downloaded a bad file than the source in the log would be local, you wouldn't see a remote source. If the machine was infected before SEP was installed, the infection would still be considered local to the machine.