Hello There,
The term unknown simply means firepower does not know the username associated with that IP address.
It can happen for multiple reasons but since the feature is working for most of other users, I would start the troubleshooting from user agent itself.
User agent is dependent on reading windows logon event 4624 to identify new domain logons and then create user-IP mapping to be forwarded to FMC.
>Login to machine which has user agent installed and then navigate to its installation directory.
>There will be an application called tools.exe.
>Run the app as admin and export current user-IP map from 4th tab.
If this mapping does not have the user-mapping for unknown users that you see on FMC, its likely that AD is not generating the logon events for those users and AD ecosystem needs to be checked.
If the mapping does have the user-IP mapping but the same does not show up on FMC, then the troubleshooting goes to FMC and can have multiple causes.
If the FMC is already on latest release, it could be that when FMC does LDAP query for those usersnames provided by user agent, it does not get sAMAccountName attribute and thus FMC does not recognize it as valid user.
If that doesn't solve the problem, then go ahead and open TAC case.
Rate if helps,
Yogesh