The default aggregation Settings is: (Source IP, Destination IP, Signature ID)
In case of the authentication events the default aggregation settings looses the required details needed for compliance monitoring of a username or what a security analyst would need to investigate an incident.
In the new version 9.6, I hope that McAfee change the default aggregation settings exclusively for the authentication events to be (Username, Source IP, Signature ID).
I cant speak for 9.6, however, you can change the aggregation settings for certain authentication events. Select the event, and click on modify aggregation settings. You can then change the settings so it aggregates on whatever field you want- usually source user, destination ip
Of course you can change the aggregation settings for certain authentication events but I hope that McAfee SIEM will be smart enough to do it automatically without any intervention.
I dont think it would be wise to turn off aggreagation for all authetication events. I understand what you are saying, that it is easier to simply turn off an aggregation for a well know event. However, the purpose of the aggregation exception screen (under event aggregation) allows you to modify aggregation for certain rules. This way, aggregation is still serviing its basic functiion ( summarizing data and enhancing performance) and allowing each customer to modify acording to his/her needs.
I did not say to turn off aggregation for all authentication events, what I said is that the aggregation for all authentication events must be suitable to be: (Username, Source IP, Signature ID) automatically without any intervention.