I'm in the process of overhauling the password configuration for customer end users on the service portal (internal users are accessing via SSO) and specifically have enabled failed logins by using the script action 'SNC User Lockout Check with Auto Unlock'. This works fine with one exception, for each failed login I'm getting 2 'login.failed' events logged which then doubles the increase on the 'Failed login attempts' field on the sys_user table, i.e., for each failed login the field increases by an increment of 2 instead of 1. This means that instead of using the suggested threshold of 5 failed logins in the script action I've had to double the parameter 10, which then locks an user out after 6 failed logins, which is the requirement.

Whilst this effectively works I'm wary and would prefer to check and double check why these are both triggering.... I've checked on different production instances and my PDI and when reviewing the event registry I can see 2 events listed there, so this looks to be OOTB configuration: 

1: 'login.failed' on 'sys_user' table

Description: 'Login failed'

2: 'login.failed' on 'sysevent' table

Description: 'Capture failed logins for security dashboard'

I'm struggling to identify what is triggering both of these events as they both have the 'Fired by' field set as 'system' and as I'm having to use a user who's not logged in to trigger the failed login then script tracer or other debug tools don't give me an insight into what is triggering these events. 

Has anybody else been in a similar situation and/or able to give an insight into the 2 events and why they're identically named, and more importantly, what the best course of action is? I'd be far happier only seeing one event triggered and the script action parameters defined without having to accommodate the duplication. 

Many thanks in advance for any assistance!