cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
829
Views
0
Helpful
0
Replies

FTD Analysis > Failed User Login not shown in the User Activity events

GTEK.Global.IT
Beginner
Beginner

Dear all,

 

I am having difficulties in seeing events with "Failed User Login" in the Table View of Events > User Activity of a 6.2.2 Firepower Management Center managing an FTDv. 

 

According to documentation - "The user activity type for detected failed login activity is Failed User Login." and I have enabled "Capture Failed Login Attempts"in the Network Discovery policy, but when testing 5 login attempts - I get 5 "User Login" events with authentication type "No Authentication" (screenshot attached). Last 2 events (per timestamp) are for 1 successful and 1 unsuccessful login, where as the next are with non-existing users in the database and 1 successful (anonymous user) and 2 unsuccessful attempts  - with no discrepancy between successful and un-successful login and known, unknown users... 

 

This is for every protocol that is being captured by the Network Discovery policy - the example is with FTP logins. 

How can I filter to see only Failed User Login events? Am I doing something wrong?

Thanks in advance for your support! 

Best regards,

Petar Trifonov

0 REPLIES 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: