This looks like expected because all sessions on the same host sharing the same IP address, by default. You might consider Remote Desktop IP Virtualization
Or, you may check out the Firepower Terminal Server Agent.
Many thanks for trying it out. CDA is based on Kerberos security events so your results show it not compatible.
Next, please try Firepower Terminal Server Agent. I moved your post to FirePOWER, where the team will be able to assist you better.