[Defender] mask login area issue /login/ url

I install Defender and set up mask login 5 days ago, so /wp-admin and /wp-login.php display
This feature is disabled which is correct.

However in EVENT LOGS exist events like:
User login fail. Username: XXX where XXX is a username.
Those event are from different random ip's.

My admin IP is static from years. During the chat we clarify that when you type /login/ in address bar you are redirect to login form.
Looks like an issue. Is this a know bug?