Brute Force Protection Non-Functional

We recently noticed some brute force attacks on our Grafana site. When looking into options for brute force protection, I came across the Grafana configuration parameter, disable_brute_force_protection, which is set to False by default. I have not changed it in my configuration. However, I ran a test to enter the wrong password for an existing username and I was able to enter the wrong password 20-30 times before giving up. What is the status of this feature? Does it actually work?