diff --git a/parsers/s01-parse/freeswitch.yaml b/parsers/s01-parse/freeswitch.yaml
index ebaa6b0..41f06ef 100644
--- a/parsers/s01-parse/freeswitch.yaml
+++ b/parsers/s01-parse/freeswitch.yaml
@@ -10,6 +10,10 @@ nodes:
   - grok:
       pattern: ^%{FS_TIMESTAMP:timestamp} \[WARNING\] sofia_reg.c:1739 SIP auth failure \(REGISTER\) on sofia profile \'internal\' for %{FS_EXTENSION:fs_exten} from ip %{IP:source_ip}$
       apply_on: Line.Raw
+    onsuccess: next_stage
+  - grok:
+      pattern: ^%{FS_TIMESTAMP} \[WARNING\] sofia_reg.c:2930 Can\'t find user %{FS_EXTENSION:fs_exten} from %{IP:source_ip}$
+    onsuccess: next_stage
 statics:
   - meta: log_type
     value: freeswitch_failed_auth
diff --git a/scenarios/freeswitch-bf.yaml b/scenarios/freeswitch-bf.yaml
index f38f057..79d3ab3 100644
--- a/scenarios/freeswitch-bf.yaml
+++ b/scenarios/freeswitch-bf.yaml
@@ -4,7 +4,7 @@ debug: true
 name: haileyxb/freeswitch-bf
 description: "Detect freeswitch bruteforce"
 filter: evt.Meta.log_type == 'freeswitch_failed_auth'
-leakspeed: "5m"
+leakspeed: 15m
 capacity: 4
 groupby: evt.Meta.source_ip
 blackhole: 10m