diff --git a/plugins/parsers/enrich-username-win.yaml b/plugins/parsers/enrich-username-win.yaml
new file mode 100644
index 0000000..03daa10
--- /dev/null
+++ b/plugins/parsers/enrich-username-win.yaml
@@ -0,0 +1,10 @@
+# parsers/s02-enrich:
+name: custom/rdp-forbidden-usernames
+description: "Detect RDP login attempts with forbidden usernames"
+filter: "evt.Meta.event_id in ['4625']"
+grok:
+  pattern: "Account Name:\\s+(?P<username>\\S+)"
+  apply_on: message
+statics:
+  - meta: username
+    expression: evt.Parsed.username