diff --git a/.tests/windows-bf/scenario.assert b/.tests/windows-bf/scenario.assert
index 7173af6600c..8dc1cdd1bab 100644
--- a/.tests/windows-bf/scenario.assert
+++ b/.tests/windows-bf/scenario.assert
@@ -1,63 +1,125 @@
-len(results) == 1
-"192.168.9.212" in results[0].Overflow.GetSources()
-results[0].Overflow.Sources["192.168.9.212"].IP == "192.168.9.212"
-results[0].Overflow.Sources["192.168.9.212"].Range == ""
-results[0].Overflow.Sources["192.168.9.212"].GetScope() == "Ip"
-results[0].Overflow.Sources["192.168.9.212"].GetValue() == "192.168.9.212"
+len(results) == 2
+"192.168.9.212" in results[1].Overflow.GetSources()
+"192.168.9.213" in results[0].Overflow.GetSources()
+results[1].Overflow.Sources["192.168.9.212"].IP == "192.168.9.212"
+results[1].Overflow.Sources["192.168.9.212"].Range == ""
+results[1].Overflow.Sources["192.168.9.212"].GetScope() == "Ip"
+results[1].Overflow.Sources["192.168.9.212"].GetValue() == "192.168.9.212"
+results[0].Overflow.Sources["192.168.9.213"].IP == "192.168.9.213"
+results[0].Overflow.Sources["192.168.9.213"].Range == ""
+results[0].Overflow.Sources["192.168.9.213"].GetScope() == "Ip"
+results[0].Overflow.Sources["192.168.9.213"].GetValue() == "192.168.9.213"
 basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "windows-bf.log"
 results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "wineventlog"
 results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "windows_failed_auth"
 results[0].Overflow.Alert.Events[0].GetMeta("logon_type") == "3"
-results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.213"
 results[0].Overflow.Alert.Events[0].GetMeta("status") == "0xc000006d"
 results[0].Overflow.Alert.Events[0].GetMeta("sub_status") == "0xc0000064"
-results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-29T12:36:01.9027913Z"
-results[0].Overflow.Alert.Events[0].GetMeta("username") == "asdfasdf"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-11-03T19:58:18.2731995Z"
+results[0].Overflow.Alert.Events[0].GetMeta("username") == "qwertyqwerty"
 basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "windows-bf.log"
 results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "wineventlog"
 results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "windows_failed_auth"
 results[0].Overflow.Alert.Events[1].GetMeta("logon_type") == "3"
-results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.213"
 results[0].Overflow.Alert.Events[1].GetMeta("status") == "0xc000006d"
 results[0].Overflow.Alert.Events[1].GetMeta("sub_status") == "0xc0000064"
-results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-29T12:36:02.2268806Z"
-results[0].Overflow.Alert.Events[1].GetMeta("username") == "asdfasdf"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-11-03T19:58:19.2731995Z"
+results[0].Overflow.Alert.Events[1].GetMeta("username") == "qwertyqwerty"
 basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "windows-bf.log"
 results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "wineventlog"
 results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "windows_failed_auth"
 results[0].Overflow.Alert.Events[2].GetMeta("logon_type") == "3"
-results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.213"
 results[0].Overflow.Alert.Events[2].GetMeta("status") == "0xc000006d"
 results[0].Overflow.Alert.Events[2].GetMeta("sub_status") == "0xc0000064"
-results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-29T12:36:03.2268806Z"
-results[0].Overflow.Alert.Events[2].GetMeta("username") == "asdfasdf"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-11-03T19:58:20.2731995Z"
+results[0].Overflow.Alert.Events[2].GetMeta("username") == "qwertyqwerty"
 basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "windows-bf.log"
 results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "wineventlog"
 results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "windows_failed_auth"
 results[0].Overflow.Alert.Events[3].GetMeta("logon_type") == "3"
-results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.213"
 results[0].Overflow.Alert.Events[3].GetMeta("status") == "0xc000006d"
 results[0].Overflow.Alert.Events[3].GetMeta("sub_status") == "0xc0000064"
-results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-29T12:36:04.2268806Z"
-results[0].Overflow.Alert.Events[3].GetMeta("username") == "asdfasdf"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-11-03T19:58:21.2731995Z"
+results[0].Overflow.Alert.Events[3].GetMeta("username") == "qwertyqwerty"
 basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "windows-bf.log"
 results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "wineventlog"
 results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "windows_failed_auth"
 results[0].Overflow.Alert.Events[4].GetMeta("logon_type") == "3"
-results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.9.213"
 results[0].Overflow.Alert.Events[4].GetMeta("status") == "0xc000006d"
 results[0].Overflow.Alert.Events[4].GetMeta("sub_status") == "0xc0000064"
-results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-04-29T12:36:06.2268806Z"
-results[0].Overflow.Alert.Events[4].GetMeta("username") == "asdfasdf"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-11-03T19:58:22.2731995Z"
+results[0].Overflow.Alert.Events[4].GetMeta("username") == "qwertyqwerty"
 basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "windows-bf.log"
 results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "wineventlog"
 results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "windows_failed_auth"
 results[0].Overflow.Alert.Events[5].GetMeta("logon_type") == "3"
-results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.9.213"
 results[0].Overflow.Alert.Events[5].GetMeta("status") == "0xc000006d"
 results[0].Overflow.Alert.Events[5].GetMeta("sub_status") == "0xc0000064"
-results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-04-29T12:36:07.2268806Z"
-results[0].Overflow.Alert.Events[5].GetMeta("username") == "asdfasdf"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-11-03T19:58:23.2731995Z"
+results[0].Overflow.Alert.Events[5].GetMeta("username") == "qwertyqwerty"
 results[0].Overflow.Alert.GetScenario() == "crowdsecurity/windows-bf"
 results[0].Overflow.Alert.Remediation == true
-results[0].Overflow.Alert.GetEventsCount() == 6
\ No newline at end of file
+results[0].Overflow.Alert.GetEventsCount() == 6
+basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "windows-bf.log"
+results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "wineventlog"
+results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "windows_failed_auth"
+results[1].Overflow.Alert.Events[0].GetMeta("logon_type") == "3"
+results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.212"
+results[1].Overflow.Alert.Events[0].GetMeta("status") == "0xc000006d"
+results[1].Overflow.Alert.Events[0].GetMeta("sub_status") == "0xc0000064"
+results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-29T12:36:01.9027913Z"
+results[1].Overflow.Alert.Events[0].GetMeta("username") == "asdfasdf"
+basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "windows-bf.log"
+results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "wineventlog"
+results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "windows_failed_auth"
+results[1].Overflow.Alert.Events[1].GetMeta("logon_type") == "3"
+results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.212"
+results[1].Overflow.Alert.Events[1].GetMeta("status") == "0xc000006d"
+results[1].Overflow.Alert.Events[1].GetMeta("sub_status") == "0xc0000064"
+results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-29T12:36:02.2268806Z"
+results[1].Overflow.Alert.Events[1].GetMeta("username") == "asdfasdf"
+basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "windows-bf.log"
+results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "wineventlog"
+results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "windows_failed_auth"
+results[1].Overflow.Alert.Events[2].GetMeta("logon_type") == "3"
+results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.212"
+results[1].Overflow.Alert.Events[2].GetMeta("status") == "0xc000006d"
+results[1].Overflow.Alert.Events[2].GetMeta("sub_status") == "0xc0000064"
+results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-29T12:36:03.2268806Z"
+results[1].Overflow.Alert.Events[2].GetMeta("username") == "asdfasdf"
+basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "windows-bf.log"
+results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "wineventlog"
+results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "windows_failed_auth"
+results[1].Overflow.Alert.Events[3].GetMeta("logon_type") == "3"
+results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.212"
+results[1].Overflow.Alert.Events[3].GetMeta("status") == "0xc000006d"
+results[1].Overflow.Alert.Events[3].GetMeta("sub_status") == "0xc0000064"
+results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-29T12:36:04.2268806Z"
+results[1].Overflow.Alert.Events[3].GetMeta("username") == "asdfasdf"
+basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "windows-bf.log"
+results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "wineventlog"
+results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "windows_failed_auth"
+results[1].Overflow.Alert.Events[4].GetMeta("logon_type") == "3"
+results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.9.212"
+results[1].Overflow.Alert.Events[4].GetMeta("status") == "0xc000006d"
+results[1].Overflow.Alert.Events[4].GetMeta("sub_status") == "0xc0000064"
+results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-04-29T12:36:06.2268806Z"
+results[1].Overflow.Alert.Events[4].GetMeta("username") == "asdfasdf"
+basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "windows-bf.log"
+results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "wineventlog"
+results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "windows_failed_auth"
+results[1].Overflow.Alert.Events[5].GetMeta("logon_type") == "3"
+results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.9.212"
+results[1].Overflow.Alert.Events[5].GetMeta("status") == "0xc000006d"
+results[1].Overflow.Alert.Events[5].GetMeta("sub_status") == "0xc0000064"
+results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-04-29T12:36:07.2268806Z"
+results[1].Overflow.Alert.Events[5].GetMeta("username") == "asdfasdf"
+results[1].Overflow.Alert.GetScenario() == "crowdsecurity/windows-bf"
+results[1].Overflow.Alert.Remediation == true
+results[1].Overflow.Alert.GetEventsCount() == 6
\ No newline at end of file
diff --git a/.tests/windows-bf/windows-bf.log b/.tests/windows-bf/windows-bf.log
index 54af0b9bf1d..1880d0f6a0e 100644
--- a/.tests/windows-bf/windows-bf.log
+++ b/.tests/windows-bf/windows-bf.log
@@ -3,4 +3,10 @@
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />   <EventID>4625</EventID>   <Version>0</Version>   <Level>0</Level>   <Task>12544</Task>   <Opcode>0</Opcode>   <Keywords>0x8010000000000000</Keywords>   <TimeCreated SystemTime="2022-04-29T12:36:03.2268806Z" />   <EventRecordID>2561</EventRecordID>   <Correlation ActivityID="{31491fb2-5b07-0001-4d20-4931075bd801}" />   <Execution ProcessID="712" ThreadID="22036" />   <Channel>Security</Channel>   <Computer>exchange-1.mydomain.test</Computer>   <Security />   </System><EventData>  <Data Name="SubjectUserSid">S-1-0-0</Data>   <Data Name="SubjectUserName">-</Data>   <Data Name="SubjectDomainName">-</Data>   <Data Name="SubjectLogonId">0x0</Data>   <Data Name="TargetUserSid">S-1-0-0</Data>   <Data Name="TargetUserName">asdfasdf</Data>   <Data Name="TargetDomainName">MYDOMAIN</Data>   <Data Name="Status">0xc000006d</Data>   <Data Name="FailureReason">%%2313</Data>   <Data Name="SubStatus">0xc0000064</Data>   <Data Name="LogonType">3</Data>   <Data Name="LogonProcessName">NtLmSsp</Data>   <Data Name="AuthenticationPackageName">NTLM</Data>   <Data Name="WorkstationName">DESKTOP-7QD9TN3</Data>   <Data Name="TransmittedServices">-</Data>   <Data Name="LmPackageName">-</Data>   <Data Name="KeyLength">0</Data>   <Data Name="ProcessId">0x0</Data>   <Data Name="ProcessName">-</Data>   <Data Name="IpAddress">192.168.9.212</Data>   <Data Name="IpPort">0</Data>   </EventData></Event>
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />   <EventID>4625</EventID>   <Version>0</Version>   <Level>0</Level>   <Task>12544</Task>   <Opcode>0</Opcode>   <Keywords>0x8010000000000000</Keywords>   <TimeCreated SystemTime="2022-04-29T12:36:04.2268806Z" />   <EventRecordID>2562</EventRecordID>   <Correlation ActivityID="{31491fb2-5b07-0001-4d20-4931075bd801}" />   <Execution ProcessID="712" ThreadID="22036" />   <Channel>Security</Channel>   <Computer>exchange-1.mydomain.test</Computer>   <Security />   </System><EventData>  <Data Name="SubjectUserSid">S-1-0-0</Data>   <Data Name="SubjectUserName">-</Data>   <Data Name="SubjectDomainName">-</Data>   <Data Name="SubjectLogonId">0x0</Data>   <Data Name="TargetUserSid">S-1-0-0</Data>   <Data Name="TargetUserName">asdfasdf</Data>   <Data Name="TargetDomainName">MYDOMAIN</Data>   <Data Name="Status">0xc000006d</Data>   <Data Name="FailureReason">%%2313</Data>   <Data Name="SubStatus">0xc0000064</Data>   <Data Name="LogonType">3</Data>   <Data Name="LogonProcessName">NtLmSsp</Data>   <Data Name="AuthenticationPackageName">NTLM</Data>   <Data Name="WorkstationName">DESKTOP-7QD9TN3</Data>   <Data Name="TransmittedServices">-</Data>   <Data Name="LmPackageName">-</Data>   <Data Name="KeyLength">0</Data>   <Data Name="ProcessId">0x0</Data>   <Data Name="ProcessName">-</Data>   <Data Name="IpAddress">192.168.9.212</Data>   <Data Name="IpPort">0</Data>   </EventData></Event>
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />   <EventID>4625</EventID>   <Version>0</Version>   <Level>0</Level>   <Task>12544</Task>   <Opcode>0</Opcode>   <Keywords>0x8010000000000000</Keywords>   <TimeCreated SystemTime="2022-04-29T12:36:06.2268806Z" />   <EventRecordID>2563</EventRecordID>   <Correlation ActivityID="{31491fb2-5b07-0001-4d20-4931075bd801}" />   <Execution ProcessID="712" ThreadID="22036" />   <Channel>Security</Channel>   <Computer>exchange-1.mydomain.test</Computer>   <Security />   </System><EventData>  <Data Name="SubjectUserSid">S-1-0-0</Data>   <Data Name="SubjectUserName">-</Data>   <Data Name="SubjectDomainName">-</Data>   <Data Name="SubjectLogonId">0x0</Data>   <Data Name="TargetUserSid">S-1-0-0</Data>   <Data Name="TargetUserName">asdfasdf</Data>   <Data Name="TargetDomainName">MYDOMAIN</Data>   <Data Name="Status">0xc000006d</Data>   <Data Name="FailureReason">%%2313</Data>   <Data Name="SubStatus">0xc0000064</Data>   <Data Name="LogonType">3</Data>   <Data Name="LogonProcessName">NtLmSsp</Data>   <Data Name="AuthenticationPackageName">NTLM</Data>   <Data Name="WorkstationName">DESKTOP-7QD9TN3</Data>   <Data Name="TransmittedServices">-</Data>   <Data Name="LmPackageName">-</Data>   <Data Name="KeyLength">0</Data>   <Data Name="ProcessId">0x0</Data>   <Data Name="ProcessName">-</Data>   <Data Name="IpAddress">192.168.9.212</Data>   <Data Name="IpPort">0</Data>   </EventData></Event>
-<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />   <EventID>4625</EventID>   <Version>0</Version>   <Level>0</Level>   <Task>12544</Task>   <Opcode>0</Opcode>   <Keywords>0x8010000000000000</Keywords>   <TimeCreated SystemTime="2022-04-29T12:36:07.2268806Z" />   <EventRecordID>2563</EventRecordID>   <Correlation ActivityID="{31491fb2-5b07-0001-4d20-4931075bd801}" />   <Execution ProcessID="712" ThreadID="22036" />   <Channel>Security</Channel>   <Computer>exchange-1.mydomain.test</Computer>   <Security />   </System><EventData>  <Data Name="SubjectUserSid">S-1-0-0</Data>   <Data Name="SubjectUserName">-</Data>   <Data Name="SubjectDomainName">-</Data>   <Data Name="SubjectLogonId">0x0</Data>   <Data Name="TargetUserSid">S-1-0-0</Data>   <Data Name="TargetUserName">asdfasdf</Data>   <Data Name="TargetDomainName">MYDOMAIN</Data>   <Data Name="Status">0xc000006d</Data>   <Data Name="FailureReason">%%2313</Data>   <Data Name="SubStatus">0xc0000064</Data>   <Data Name="LogonType">3</Data>   <Data Name="LogonProcessName">NtLmSsp</Data>   <Data Name="AuthenticationPackageName">NTLM</Data>   <Data Name="WorkstationName">DESKTOP-7QD9TN3</Data>   <Data Name="TransmittedServices">-</Data>   <Data Name="LmPackageName">-</Data>   <Data Name="KeyLength">0</Data>   <Data Name="ProcessId">0x0</Data>   <Data Name="ProcessName">-</Data>   <Data Name="IpAddress">192.168.9.212</Data>   <Data Name="IpPort">0</Data>   </EventData></Event>
\ No newline at end of file
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />   <EventID>4625</EventID>   <Version>0</Version>   <Level>0</Level>   <Task>12544</Task>   <Opcode>0</Opcode>   <Keywords>0x8010000000000000</Keywords>   <TimeCreated SystemTime="2022-04-29T12:36:07.2268806Z" />   <EventRecordID>2563</EventRecordID>   <Correlation ActivityID="{31491fb2-5b07-0001-4d20-4931075bd801}" />   <Execution ProcessID="712" ThreadID="22036" />   <Channel>Security</Channel>   <Computer>exchange-1.mydomain.test</Computer>   <Security />   </System><EventData>  <Data Name="SubjectUserSid">S-1-0-0</Data>   <Data Name="SubjectUserName">-</Data>   <Data Name="SubjectDomainName">-</Data>   <Data Name="SubjectLogonId">0x0</Data>   <Data Name="TargetUserSid">S-1-0-0</Data>   <Data Name="TargetUserName">asdfasdf</Data>   <Data Name="TargetDomainName">MYDOMAIN</Data>   <Data Name="Status">0xc000006d</Data>   <Data Name="FailureReason">%%2313</Data>   <Data Name="SubStatus">0xc0000064</Data>   <Data Name="LogonType">3</Data>   <Data Name="LogonProcessName">NtLmSsp</Data>   <Data Name="AuthenticationPackageName">NTLM</Data>   <Data Name="WorkstationName">DESKTOP-7QD9TN3</Data>   <Data Name="TransmittedServices">-</Data>   <Data Name="LmPackageName">-</Data>   <Data Name="KeyLength">0</Data>   <Data Name="ProcessId">0x0</Data>   <Data Name="ProcessName">-</Data>   <Data Name="IpAddress">192.168.9.212</Data>   <Data Name="IpPort">0</Data>   </EventData></Event>
+{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"exchange-1.mydomain.test","event_id":4625,"task":12544,"levelText":"Information","taskText":"Logon","opCodeText":"Info","keywords":"Audit Failure","timeCreated":"2025-11-03T19:58:18.273199500Z","eventRecordID":2564,"execution":{"processId":780,"threadId":3612,"processName":"lsass.exe"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x0\u003c/Data\u003e\u003cData Name='TargetUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='TargetUserName'\u003eqwertyqwerty\u003c/Data\u003e\u003cData Name='TargetDomainName'\u003eMYDOMAIN\u003c/Data\u003e\u003cData Name='Status'\u003e0xc000006d\u003c/Data\u003e\u003cData Name='FailureReason'\u003e%%2313\u003c/Data\u003e\u003cData Name='SubStatus'\u003e0xc0000064\u003c/Data\u003e\u003cData Name='LogonType'\u003e3\u003c/Data\u003e\u003cData Name='LogonProcessName'\u003eNtLmSsp \u003c/Data\u003e\u003cData Name='AuthenticationPackageName'\u003eNTLM\u003c/Data\u003e\u003cData Name='WorkstationName'\u003eDESKTOP-7QD9TN4\u003c/Data\u003e\u003cData Name='TransmittedServices'\u003e-\u003c/Data\u003e\u003cData Name='LmPackageName'\u003e-\u003c/Data\u003e\u003cData Name='KeyLength'\u003e0\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x0\u003c/Data\u003e\u003cData Name='ProcessName'\u003e-\u003c/Data\u003e\u003cData Name='IpAddress'\u003e192.168.9.213\u003c/Data\u003e\u003cData Name='IpPort'\u003e0\u003c/Data\u003e"}
+{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"exchange-1.mydomain.test","event_id":4625,"task":12544,"levelText":"Information","taskText":"Logon","opCodeText":"Info","keywords":"Audit Failure","timeCreated":"2025-11-03T19:58:19.273199500Z","eventRecordID":2565,"execution":{"processId":780,"threadId":3612,"processName":"lsass.exe"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x0\u003c/Data\u003e\u003cData Name='TargetUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='TargetUserName'\u003eqwertyqwerty\u003c/Data\u003e\u003cData Name='TargetDomainName'\u003eMYDOMAIN\u003c/Data\u003e\u003cData Name='Status'\u003e0xc000006d\u003c/Data\u003e\u003cData Name='FailureReason'\u003e%%2313\u003c/Data\u003e\u003cData Name='SubStatus'\u003e0xc0000064\u003c/Data\u003e\u003cData Name='LogonType'\u003e3\u003c/Data\u003e\u003cData Name='LogonProcessName'\u003eNtLmSsp \u003c/Data\u003e\u003cData Name='AuthenticationPackageName'\u003eNTLM\u003c/Data\u003e\u003cData Name='WorkstationName'\u003eDESKTOP-7QD9TN4\u003c/Data\u003e\u003cData Name='TransmittedServices'\u003e-\u003c/Data\u003e\u003cData Name='LmPackageName'\u003e-\u003c/Data\u003e\u003cData Name='KeyLength'\u003e0\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x0\u003c/Data\u003e\u003cData Name='ProcessName'\u003e-\u003c/Data\u003e\u003cData Name='IpAddress'\u003e192.168.9.213\u003c/Data\u003e\u003cData Name='IpPort'\u003e0\u003c/Data\u003e"}
+{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"exchange-1.mydomain.test","event_id":4625,"task":12544,"levelText":"Information","taskText":"Logon","opCodeText":"Info","keywords":"Audit Failure","timeCreated":"2025-11-03T19:58:20.273199500Z","eventRecordID":2566,"execution":{"processId":780,"threadId":3612,"processName":"lsass.exe"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x0\u003c/Data\u003e\u003cData Name='TargetUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='TargetUserName'\u003eqwertyqwerty\u003c/Data\u003e\u003cData Name='TargetDomainName'\u003eMYDOMAIN\u003c/Data\u003e\u003cData Name='Status'\u003e0xc000006d\u003c/Data\u003e\u003cData Name='FailureReason'\u003e%%2313\u003c/Data\u003e\u003cData Name='SubStatus'\u003e0xc0000064\u003c/Data\u003e\u003cData Name='LogonType'\u003e3\u003c/Data\u003e\u003cData Name='LogonProcessName'\u003eNtLmSsp \u003c/Data\u003e\u003cData Name='AuthenticationPackageName'\u003eNTLM\u003c/Data\u003e\u003cData Name='WorkstationName'\u003eDESKTOP-7QD9TN4\u003c/Data\u003e\u003cData Name='TransmittedServices'\u003e-\u003c/Data\u003e\u003cData Name='LmPackageName'\u003e-\u003c/Data\u003e\u003cData Name='KeyLength'\u003e0\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x0\u003c/Data\u003e\u003cData Name='ProcessName'\u003e-\u003c/Data\u003e\u003cData Name='IpAddress'\u003e192.168.9.213\u003c/Data\u003e\u003cData Name='IpPort'\u003e0\u003c/Data\u003e"}
+{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"exchange-1.mydomain.test","event_id":4625,"task":12544,"levelText":"Information","taskText":"Logon","opCodeText":"Info","keywords":"Audit Failure","timeCreated":"2025-11-03T19:58:21.273199500Z","eventRecordID":2567,"execution":{"processId":780,"threadId":3612,"processName":"lsass.exe"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x0\u003c/Data\u003e\u003cData Name='TargetUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='TargetUserName'\u003eqwertyqwerty\u003c/Data\u003e\u003cData Name='TargetDomainName'\u003eMYDOMAIN\u003c/Data\u003e\u003cData Name='Status'\u003e0xc000006d\u003c/Data\u003e\u003cData Name='FailureReason'\u003e%%2313\u003c/Data\u003e\u003cData Name='SubStatus'\u003e0xc0000064\u003c/Data\u003e\u003cData Name='LogonType'\u003e3\u003c/Data\u003e\u003cData Name='LogonProcessName'\u003eNtLmSsp \u003c/Data\u003e\u003cData Name='AuthenticationPackageName'\u003eNTLM\u003c/Data\u003e\u003cData Name='WorkstationName'\u003eDESKTOP-7QD9TN4\u003c/Data\u003e\u003cData Name='TransmittedServices'\u003e-\u003c/Data\u003e\u003cData Name='LmPackageName'\u003e-\u003c/Data\u003e\u003cData Name='KeyLength'\u003e0\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x0\u003c/Data\u003e\u003cData Name='ProcessName'\u003e-\u003c/Data\u003e\u003cData Name='IpAddress'\u003e192.168.9.213\u003c/Data\u003e\u003cData Name='IpPort'\u003e0\u003c/Data\u003e"}
+{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"exchange-1.mydomain.test","event_id":4625,"task":12544,"levelText":"Information","taskText":"Logon","opCodeText":"Info","keywords":"Audit Failure","timeCreated":"2025-11-03T19:58:22.273199500Z","eventRecordID":2568,"execution":{"processId":780,"threadId":3612,"processName":"lsass.exe"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x0\u003c/Data\u003e\u003cData Name='TargetUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='TargetUserName'\u003eqwertyqwerty\u003c/Data\u003e\u003cData Name='TargetDomainName'\u003eMYDOMAIN\u003c/Data\u003e\u003cData Name='Status'\u003e0xc000006d\u003c/Data\u003e\u003cData Name='FailureReason'\u003e%%2313\u003c/Data\u003e\u003cData Name='SubStatus'\u003e0xc0000064\u003c/Data\u003e\u003cData Name='LogonType'\u003e3\u003c/Data\u003e\u003cData Name='LogonProcessName'\u003eNtLmSsp \u003c/Data\u003e\u003cData Name='AuthenticationPackageName'\u003eNTLM\u003c/Data\u003e\u003cData Name='WorkstationName'\u003eDESKTOP-7QD9TN4\u003c/Data\u003e\u003cData Name='TransmittedServices'\u003e-\u003c/Data\u003e\u003cData Name='LmPackageName'\u003e-\u003c/Data\u003e\u003cData Name='KeyLength'\u003e0\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x0\u003c/Data\u003e\u003cData Name='ProcessName'\u003e-\u003c/Data\u003e\u003cData Name='IpAddress'\u003e192.168.9.213\u003c/Data\u003e\u003cData Name='IpPort'\u003e0\u003c/Data\u003e"}
+{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"exchange-1.mydomain.test","event_id":4625,"task":12544,"levelText":"Information","taskText":"Logon","opCodeText":"Info","keywords":"Audit Failure","timeCreated":"2025-11-03T19:58:23.273199500Z","eventRecordID":2569,"execution":{"processId":780,"threadId":3612,"processName":"lsass.exe"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003e-\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x0\u003c/Data\u003e\u003cData Name='TargetUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='TargetUserName'\u003eqwertyqwerty\u003c/Data\u003e\u003cData Name='TargetDomainName'\u003eMYDOMAIN\u003c/Data\u003e\u003cData Name='Status'\u003e0xc000006d\u003c/Data\u003e\u003cData Name='FailureReason'\u003e%%2313\u003c/Data\u003e\u003cData Name='SubStatus'\u003e0xc0000064\u003c/Data\u003e\u003cData Name='LogonType'\u003e3\u003c/Data\u003e\u003cData Name='LogonProcessName'\u003eNtLmSsp \u003c/Data\u003e\u003cData Name='AuthenticationPackageName'\u003eNTLM\u003c/Data\u003e\u003cData Name='WorkstationName'\u003eDESKTOP-7QD9TN4\u003c/Data\u003e\u003cData Name='TransmittedServices'\u003e-\u003c/Data\u003e\u003cData Name='LmPackageName'\u003e-\u003c/Data\u003e\u003cData Name='KeyLength'\u003e0\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x0\u003c/Data\u003e\u003cData Name='ProcessName'\u003e-\u003c/Data\u003e\u003cData Name='IpAddress'\u003e192.168.9.213\u003c/Data\u003e\u003cData Name='IpPort'\u003e0\u003c/Data\u003e"}
\ No newline at end of file
diff --git a/.tests/windows-logs/parser.assert b/.tests/windows-logs/parser.assert
index d8acf9269d1..0c1e8d5b561 100644
--- a/.tests/windows-logs/parser.assert
+++ b/.tests/windows-logs/parser.assert
@@ -1,5 +1,5 @@
 len(results) == 3
-len(results["s00-raw"]["crowdsecurity/windows-eventlog"]) == 1
+len(results["s00-raw"]["crowdsecurity/windows-eventlog"]) == 2
 results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Success == true
 results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["program"] == "wineventlog"
 results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["Channel"] == "Security"
@@ -8,9 +8,18 @@ results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["EventID"] ==
 results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing"
 results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Meta["datasource_path"] == "windows-logs.log"
 results["s00-raw"]["crowdsecurity/windows-eventlog"][0].Evt.Meta["datasource_type"] == "wineventlog"
-len(results["s00-raw"]["overrides"]) == 1
+results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Success == true
+results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["program"] == "wineventlog"
+results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["Channel"] == "Security"
+results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["Computer"] == "exchange-1.mydomain.test"
+results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["EventID"] == "4625"
+results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing"
+results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Meta["datasource_path"] == "windows-logs.log"
+results["s00-raw"]["crowdsecurity/windows-eventlog"][1].Evt.Meta["datasource_type"] == "wineventlog"
+len(results["s00-raw"]["overrides"]) == 2
 results["s00-raw"]["overrides"][0].Success == true
-len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1
+results["s00-raw"]["overrides"][1].Success == true
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "wineventlog"
@@ -20,4 +29,14 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["EventID"]
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "windows-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "wineventlog"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-04-28T16:09:28.9443547Z"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-04-28T16:09:28.9443547Z"
\ No newline at end of file
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-04-28T16:09:28.9443547Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["Source"] == "Microsoft-Windows-Security-Auditing"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "wineventlog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["Channel"] == "Security"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["Computer"] == "exchange-1.mydomain.test"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["EventID"] == "4625"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "windows-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "wineventlog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-11-03T18:47:24.221659Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-11-03T18:47:24.221659Z"
\ No newline at end of file
diff --git a/.tests/windows-logs/windows-logs.log b/.tests/windows-logs/windows-logs.log
index db5cda9ad7a..3c35c52df87 100644
--- a/.tests/windows-logs/windows-logs.log
+++ b/.tests/windows-logs/windows-logs.log
@@ -1 +1,2 @@
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">- <System>  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />   <EventID>4625</EventID>   <Version>0</Version>   <Level>0</Level>   <Task>12544</Task>   <Opcode>0</Opcode>   <Keywords>0x8010000000000000</Keywords>   <TimeCreated SystemTime="2022-04-28T16:09:28.9443547Z" />   <EventRecordID>2524</EventRecordID>   <Correlation ActivityID="{31491fb2-5b07-0001-4d20-4931075bd801}" />   <Execution ProcessID="712" ThreadID="11528" />   <Channel>Security</Channel>   <Computer>exchange-1.mydomain.test</Computer>   <Security />   </System>- <EventData>  <Data Name="SubjectUserSid">S-1-5-18</Data>   <Data Name="SubjectUserName">EXCHANGE-1$</Data>   <Data Name="SubjectDomainName">MYDOMAIN</Data>   <Data Name="SubjectLogonId">0x3e7</Data>   <Data Name="TargetUserSid">S-1-0-0</Data>   <Data Name="TargetUserName">testuser@mydomain.test</Data>   <Data Name="TargetDomainName">EXCHANGE-1</Data>   <Data Name="Status">0xc000006d</Data>   <Data Name="FailureReason">%%2313</Data>   <Data Name="SubStatus">0xc0000064</Data>   <Data Name="LogonType">8</Data>   <Data Name="LogonProcessName">Advapi</Data>   <Data Name="AuthenticationPackageName">Negotiate</Data>   <Data Name="WorkstationName">EXCHANGE-1</Data>   <Data Name="TransmittedServices">-</Data>   <Data Name="LmPackageName">-</Data>   <Data Name="KeyLength">0</Data>   <Data Name="ProcessId">0x14a0</Data>   <Data Name="ProcessName">C:\Windows\System32\inetsrv\w3wp.exe</Data>   <Data Name="IpAddress">192.168.9.212</Data>   <Data Name="IpPort">1628</Data>   </EventData>  </Event>
\ No newline at end of file
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">- <System>  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />   <EventID>4625</EventID>   <Version>0</Version>   <Level>0</Level>   <Task>12544</Task>   <Opcode>0</Opcode>   <Keywords>0x8010000000000000</Keywords>   <TimeCreated SystemTime="2022-04-28T16:09:28.9443547Z" />   <EventRecordID>2524</EventRecordID>   <Correlation ActivityID="{31491fb2-5b07-0001-4d20-4931075bd801}" />   <Execution ProcessID="712" ThreadID="11528" />   <Channel>Security</Channel>   <Computer>exchange-1.mydomain.test</Computer>   <Security />   </System>- <EventData>  <Data Name="SubjectUserSid">S-1-5-18</Data>   <Data Name="SubjectUserName">EXCHANGE-1$</Data>   <Data Name="SubjectDomainName">MYDOMAIN</Data>   <Data Name="SubjectLogonId">0x3e7</Data>   <Data Name="TargetUserSid">S-1-0-0</Data>   <Data Name="TargetUserName">testuser@mydomain.test</Data>   <Data Name="TargetDomainName">EXCHANGE-1</Data>   <Data Name="Status">0xc000006d</Data>   <Data Name="FailureReason">%%2313</Data>   <Data Name="SubStatus">0xc0000064</Data>   <Data Name="LogonType">8</Data>   <Data Name="LogonProcessName">Advapi</Data>   <Data Name="AuthenticationPackageName">Negotiate</Data>   <Data Name="WorkstationName">EXCHANGE-1</Data>   <Data Name="TransmittedServices">-</Data>   <Data Name="LmPackageName">-</Data>   <Data Name="KeyLength">0</Data>   <Data Name="ProcessId">0x14a0</Data>   <Data Name="ProcessName">C:\Windows\System32\inetsrv\w3wp.exe</Data>   <Data Name="IpAddress">192.168.9.212</Data>   <Data Name="IpPort">1628</Data>   </EventData>  </Event>
+{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"exchange-1.mydomain.test","event_id":4625,"task":12544,"levelText":"Information","taskText":"Logon","opCodeText":"Info","keywords":"Audit Failure","timeCreated":"2025-11-03T18:47:24.221659000Z","eventRecordID":4794354943,"execution":{"processId":780,"threadId":9336,"processName":"lsass.exe"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-5-18\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003eEXCHANGE-1\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003eMYDOMAIN\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TargetUserSid'\u003eS-1-0-0\u003c/Data\u003e\u003cData Name='TargetUserName'\u003etestuser@mydomain.test\u003c/Data\u003e\u003cData Name='TargetDomainName'\u003eEXCHANGE-1\u003c/Data\u003e\u003cData Name='Status'\u003e0xc000006d\u003c/Data\u003e\u003cData Name='FailureReason'\u003e%%2313\u003c/Data\u003e\u003cData Name='SubStatus'\u003e0xc0000064\u003c/Data\u003e\u003cData Name='LogonType'\u003e8\u003c/Data\u003e\u003cData Name='LogonProcessName'\u003eAdvapi\u003c/Data\u003e\u003cData Name='AuthenticationPackageName'\u003eNegotiage\u003c/Data\u003e\u003cData Name='WorkstationName'\u003eEXCHANGE-1\u003c/Data\u003e\u003cData Name='TransmittedServices'\u003e-\u003c/Data\u003e\u003cData Name='LmPackageName'\u003e-\u003c/Data\u003e\u003cData Name='KeyLength'\u003e0\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x14a0\u003c/Data\u003e\u003cData Name='ProcessName'\u003eC:\\Windows\\System32\\inetsrv\\w3wp.exe\u003c/Data\u003e\u003cData Name='IpAddress'\u003e192.168.9.212\u003c/Data\u003e\u003cData Name='IpPort'\u003e1628\u003c/Data\u003e"}
\ No newline at end of file
diff --git a/parsers/s00-raw/crowdsecurity/windows-logs.yaml b/parsers/s00-raw/crowdsecurity/windows-logs.yaml
index 3703fcc90d0..7554f12327a 100644
--- a/parsers/s00-raw/crowdsecurity/windows-logs.yaml
+++ b/parsers/s00-raw/crowdsecurity/windows-logs.yaml
@@ -1,24 +1,45 @@
 filter: "evt.Line.Module == 'wineventlog'"
 onsuccess: next_stage
 name: crowdsecurity/windows-eventlog
+nodes:
+  - filter: TrimSpace(evt.Line.Raw) startsWith '<'
+    statics:
+      - parsed: StrTime
+        #We need XMLGetAttributeValue because etree does not support getting an attribute value (or at least, i didn't manage to make the correct query)
+        expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/TimeCreated", "SystemTime")
+      - parsed: Channel
+        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/Channel")
+      - parsed: EventID
+        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/EventID")
+      - parsed: Source
+        expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/Provider", "Name")
+      - parsed: Computer
+        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/Computer")
+      - parsed: UserSID
+        expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/Security", "UserID")
+  - filter: TrimSpace(evt.Line.Raw) startsWith '{' && UnmarshalJSON(evt.Line.Raw, evt.Unmarshaled, 'wineventlog') in ['', nil]
+    statics:
+      - parsed: StrTime
+        expression: evt.Unmarshaled.wineventlog.timeCreated
+      - parsed: Channel
+        expression: evt.Unmarshaled.wineventlog.channel
+      - parsed: EventID
+        expression: string(int(evt.Unmarshaled.wineventlog.event_id))
+      - parsed: Source
+        expression: evt.Unmarshaled.wineventlog.source
+      - parsed: Computer
+        expression: evt.Unmarshaled.wineventlog.computer
+      - parsed: UserSID
+        expression: XMLGetNodeValue(evt.Unmarshaled.wineventlog.event_data, "/Data[@Name='UserID']")
+      - parsed: EventData
+        expression: evt.Unmarshaled.wineventlog.event_data
 statics:
   - meta: datasource_path
     expression: evt.Line.Src
   - meta: datasource_type
     expression: evt.Line.Module
   - target: evt.StrTime
-    #We need XMLGetAttributeValue because etree does not support getting an attribute value (or at least, i didn't manage to make the correct query)
-    expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/TimeCreated", "SystemTime")
-  - parsed: Channel
-    expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/Channel")
-  - parsed: EventID
-    expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/EventID")
-  - parsed: Source
-    expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/Provider", "Name")
-  - parsed: Computer
-    expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/Computer")
-  - parsed: UserSID
-    expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/Security", "UserID")
+    expression: evt.Parsed.StrTime
   - parsed: program
     expression: evt.Line.Labels.type
 ---
@@ -33,5 +54,4 @@ statics:
   - meta: datasource_path
     expression: evt.Line.Src
   - meta: datasource_type
-    expression: evt.Line.Module
-
+    expression: evt.Line.Module
\ No newline at end of file
diff --git a/parsers/s01-parse/crowdsecurity/windows-auth.yaml b/parsers/s01-parse/crowdsecurity/windows-auth.yaml
index 1f632f2eada..83be9f61ece 100644
--- a/parsers/s01-parse/crowdsecurity/windows-auth.yaml
+++ b/parsers/s01-parse/crowdsecurity/windows-auth.yaml
@@ -3,16 +3,31 @@ onsuccess: next_stage
 filter: "evt.Parsed.Channel == 'Security' && evt.Parsed.EventID == '4625'"
 name: crowdsecurity/windows-auth
 description: "Parse windows authentication failure events (id 4625)"
+nodes:
+  - filter: TrimSpace(evt.Line.Raw) startsWith '<'
+    statics:
+        - meta: source_ip
+          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='IpAddress']")
+        - meta: username
+          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetUserName']")
+        - meta: status
+          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Status']")
+        - meta: sub_status
+          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SubStatus']")
+        - meta: logon_type
+          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='LogonType']")
+  - filter: TrimSpace(evt.Line.Raw) startsWith '{'
+    statics:
+        - meta: source_ip
+          expression: XMLGetNodeValue(evt.Unmarshaled.wineventlog.event_data, "/Data[@Name='IpAddress']")
+        - meta: username
+          expression: XMLGetNodeValue(evt.Unmarshaled.wineventlog.event_data, "/Data[@Name='TargetUserName']")
+        - meta: status
+          expression: XMLGetNodeValue(evt.Unmarshaled.wineventlog.event_data, "/Data[@Name='Status']")
+        - meta: sub_status
+          expression: XMLGetNodeValue(evt.Unmarshaled.wineventlog.event_data, "/Data[@Name='SubStatus']")
+        - meta: logon_type
+          expression: XMLGetNodeValue(evt.Unmarshaled.wineventlog.event_data, "/Data[@Name='LogonType']")
 statics:
-    - meta: source_ip
-      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='IpAddress']")
-    - meta: username
-      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetUserName']")
-    - meta: status
-      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Status']")
-    - meta: sub_status
-      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SubStatus']")
-    - meta: logon_type
-      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='LogonType']")
-    - meta: log_type
-      value: windows_failed_auth
\ No newline at end of file
+  - meta: log_type
+    value: windows_failed_auth
\ No newline at end of file