Dear all,
I am having difficulties in seeing events with "Failed User Login" in the Table View of Events > User Activity of a 6.2.2 Firepower Management Center managing an FTDv.
According to documentation - "The user activity type for detected failed login activity is Failed User Login." and I have enabled "Capture Failed Login Attempts"in the Network Discovery policy, but when testing 5 login attempts - I get 5 "User Login" events with authentication type "No Authentication" (screenshot attached). Last 2 events (per timestamp) are for 1 successful and 1 unsuccessful login, where as the next are with non-existing users in the database and 1 successful (anonymous user) and 2 unsuccessful attempts - with no discrepancy between successful and un-successful login and known, unknown users...
This is for every protocol that is being captured by the Network Discovery policy - the example is with FTP logins.
How can I filter to see only Failed User Login events? Am I doing something wrong?
Thanks in advance for your support!
Best regards,
Petar Trifonov