Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1237
Views
0
Helpful
0
Replies

FTD Analysis > Failed User Login not shown in the User Activity events

GTEK.Global.IT
Level 1
Level 1

‎11-23-2017 03:06 AM - edited ‎02-21-2020 06:49 AM

Dear all,

 

I am having difficulties in seeing events with "Failed User Login" in the Table View of Events > User Activity of a 6.2.2 Firepower Management Center managing an FTDv. 

 

According to documentation - "The user activity type for detected failed login activity is Failed User Login." and I have enabled "Capture Failed Login Attempts"in the Network Discovery policy, but when testing 5 login attempts - I get 5 "User Login" events with authentication type "No Authentication" (screenshot attached). Last 2 events (per timestamp) are for 1 successful and 1 unsuccessful login, where as the next are with non-existing users in the database and 1 successful (anonymous user) and 2 unsuccessful attempts  - with no discrepancy between successful and un-successful login and known, unknown users... 

 

This is for every protocol that is being captured by the Network Discovery policy - the example is with FTP logins. 

How can I filter to see only Failed User Login events? Am I doing something wrong?

Thanks in advance for your support! 

Best regards,

Petar Trifonov

2 people had this problem
Labels:
Preview file
166 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card