diff --git a/.tests/teleport-bf/config.yaml b/.tests/teleport-bf/config.yaml
new file mode 100644
index 00000000000..9cb8e745351
--- /dev/null
+++ b/.tests/teleport-bf/config.yaml
@@ -0,0 +1,13 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- ./parsers/s01-parse/crowdsecurity/teleport-logs.yaml
+scenarios:
+- ./scenarios/crowdsecurity/teleport-bf.yaml
+postoverflows:
+- ""
+log_file: teleport-bf.log
+log_type: teleport
+labels: {}
+ignore_parsers: true
+override_statics: []
diff --git a/.tests/teleport-bf/parser.assert b/.tests/teleport-bf/parser.assert
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/.tests/teleport-bf/scenario.assert b/.tests/teleport-bf/scenario.assert
new file mode 100644
index 00000000000..fc59979ad5e
--- /dev/null
+++ b/.tests/teleport-bf/scenario.assert
@@ -0,0 +1,69 @@
+len(results) == 1
+"172.19.0.2" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["172.19.0.2"].IP == "172.19.0.2"
+results[0].Overflow.Sources["172.19.0.2"].Range == ""
+results[0].Overflow.Sources["172.19.0.2"].GetScope() == "Ip"
+results[0].Overflow.Sources["172.19.0.2"].GetValue() == "172.19.0.2"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "teleport-bf.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_failed"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "teleport"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.19.0.2"
+results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "user.login"
+results[0].Overflow.Alert.Events[0].GetMeta("success") == "false"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z"
+results[0].Overflow.Alert.Events[0].GetMeta("user") == "Bekekrb"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "teleport-bf.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_failed"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "teleport"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.19.0.2"
+results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "user.login"
+results[0].Overflow.Alert.Events[1].GetMeta("success") == "false"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z"
+results[0].Overflow.Alert.Events[1].GetMeta("user") == "Bekekrb"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "teleport-bf.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auth_failed"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "teleport"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.19.0.2"
+results[0].Overflow.Alert.Events[2].GetMeta("sub_type") == "user.login"
+results[0].Overflow.Alert.Events[2].GetMeta("success") == "false"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z"
+results[0].Overflow.Alert.Events[2].GetMeta("user") == "Bekekrb"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "teleport-bf.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "auth_failed"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "teleport"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.19.0.2"
+results[0].Overflow.Alert.Events[3].GetMeta("sub_type") == "user.login"
+results[0].Overflow.Alert.Events[3].GetMeta("success") == "false"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z"
+results[0].Overflow.Alert.Events[3].GetMeta("user") == "Bekekrb"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "teleport-bf.log"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[4].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "auth_failed"
+results[0].Overflow.Alert.Events[4].GetMeta("service") == "teleport"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.19.0.2"
+results[0].Overflow.Alert.Events[4].GetMeta("sub_type") == "user.login"
+results[0].Overflow.Alert.Events[4].GetMeta("success") == "false"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z"
+results[0].Overflow.Alert.Events[4].GetMeta("user") == "Bekekrb"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "teleport-bf.log"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[5].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "auth_failed"
+results[0].Overflow.Alert.Events[5].GetMeta("service") == "teleport"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.19.0.2"
+results[0].Overflow.Alert.Events[5].GetMeta("sub_type") == "user.login"
+results[0].Overflow.Alert.Events[5].GetMeta("success") == "false"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z"
+results[0].Overflow.Alert.Events[5].GetMeta("user") == "Bekekrb"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/teleport-bf"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 6
diff --git a/.tests/teleport-bf/teleport-bf.log b/.tests/teleport-bf/teleport-bf.log
new file mode 100644
index 00000000000..e90d2dcfc22
--- /dev/null
+++ b/.tests/teleport-bf/teleport-bf.log
@@ -0,0 +1,6 @@
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:25.133Z","cluster_name":"teleport.home.example.com","user":"Bekekrb","success":false,"error":"invalid username, password or second factor","method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"172.19.0.2:34204"}
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:25.133Z","cluster_name":"teleport.home.example.com","user":"Bekekrb","success":false,"error":"invalid username, password or second factor","method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"172.19.0.2:34204"}
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:25.133Z","cluster_name":"teleport.home.example.com","user":"Bekekrb","success":false,"error":"invalid username, password or second factor","method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"172.19.0.2:34204"}
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:25.133Z","cluster_name":"teleport.home.example.com","user":"Bekekrb","success":false,"error":"invalid username, password or second factor","method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"172.19.0.2:34204"}
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:25.133Z","cluster_name":"teleport.home.example.com","user":"Bekekrb","success":false,"error":"invalid username, password or second factor","method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"172.19.0.2:34204"}
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:25.133Z","cluster_name":"teleport.home.example.com","user":"Bekekrb","success":false,"error":"invalid username, password or second factor","method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"172.19.0.2:34204"}
diff --git a/.tests/teleport-impossible-travel/config.yaml b/.tests/teleport-impossible-travel/config.yaml
new file mode 100644
index 00000000000..4664578b4e0
--- /dev/null
+++ b/.tests/teleport-impossible-travel/config.yaml
@@ -0,0 +1,15 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- crowdsecurity/geoip-enrich
+- ./parsers/s01-parse/crowdsecurity/teleport-logs.yaml
+scenarios:
+- crowdsecurity/impossible-travel
+- crowdsecurity/impossible-travel-user
+postoverflows:
+- ""
+log_file: teleport-bf.log
+log_type: teleport
+labels: {}
+ignore_parsers: true
+override_statics: []
diff --git a/.tests/teleport-impossible-travel/parser.assert b/.tests/teleport-impossible-travel/parser.assert
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/.tests/teleport-impossible-travel/scenario.assert b/.tests/teleport-impossible-travel/scenario.assert
new file mode 100644
index 00000000000..a212328c5d5
--- /dev/null
+++ b/.tests/teleport-impossible-travel/scenario.assert
@@ -0,0 +1,74 @@
+len(results) == 2
+"1.2.3.4" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4"
+results[0].Overflow.Sources["1.2.3.4"].Range == ""
+results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip"
+results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4"
+"9.8.8.8" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["9.8.8.8"].IP == "9.8.8.8"
+results[0].Overflow.Sources["9.8.8.8"].Range == ""
+results[0].Overflow.Sources["9.8.8.8"].GetScope() == "Ip"
+results[0].Overflow.Sources["9.8.8.8"].GetValue() == "9.8.8.8"
+results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false"
+results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "teleport-bf.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "teleport"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "user.login"
+results[0].Overflow.Alert.Events[0].GetMeta("success") == "true"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z"
+results[0].Overflow.Alert.Events[0].GetMeta("user") == "root"
+results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0"
+results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false"
+results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "teleport-bf.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "teleport"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8"
+results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "user.login"
+results[0].Overflow.Alert.Events[1].GetMeta("success") == "true"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-05T07:16:26.133Z"
+results[0].Overflow.Alert.Events[1].GetMeta("user") == "root"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel"
+results[0].Overflow.Alert.Remediation == false
+results[0].Overflow.Alert.GetEventsCount() == 2
+"root" in results[1].Overflow.GetSources()
+results[1].Overflow.Sources["root"].IP == ""
+results[1].Overflow.Sources["root"].Range == ""
+results[1].Overflow.Sources["root"].GetScope() == "username"
+results[1].Overflow.Sources["root"].GetValue() == "root"
+results[1].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0"
+results[1].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false"
+results[1].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU"
+results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "teleport-bf.log"
+results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[1].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success"
+results[1].Overflow.Alert.Events[0].GetMeta("service") == "teleport"
+results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4"
+results[1].Overflow.Alert.Events[0].GetMeta("sub_type") == "user.login"
+results[1].Overflow.Alert.Events[0].GetMeta("success") == "true"
+results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-05T07:16:25.133Z"
+results[1].Overflow.Alert.Events[0].GetMeta("user") == "root"
+results[1].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0"
+results[1].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false"
+results[1].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US"
+results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "teleport-bf.log"
+results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[1].Overflow.Alert.Events[1].GetMeta("http_user_agent") == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success"
+results[1].Overflow.Alert.Events[1].GetMeta("service") == "teleport"
+results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8"
+results[1].Overflow.Alert.Events[1].GetMeta("sub_type") == "user.login"
+results[1].Overflow.Alert.Events[1].GetMeta("success") == "true"
+results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-05T07:16:26.133Z"
+results[1].Overflow.Alert.Events[1].GetMeta("user") == "root"
+results[1].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel-user"
+results[1].Overflow.Alert.Remediation == false
+results[1].Overflow.Alert.GetEventsCount() == 2
diff --git a/.tests/teleport-impossible-travel/teleport-bf.log b/.tests/teleport-impossible-travel/teleport-bf.log
new file mode 100644
index 00000000000..1ef2dbc74cd
--- /dev/null
+++ b/.tests/teleport-impossible-travel/teleport-bf.log
@@ -0,0 +1,2 @@
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:25.133Z","cluster_name":"teleport.home.example.com","user":"root","success":true,"method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"1.2.3.4:34204"}
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:26.133Z","cluster_name":"teleport.home.example.com","user":"root","success":true,"method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"9.8.8.8:34204"}
diff --git a/.tests/teleport-logs/config.yaml b/.tests/teleport-logs/config.yaml
new file mode 100644
index 00000000000..0f231f20e3f
--- /dev/null
+++ b/.tests/teleport-logs/config.yaml
@@ -0,0 +1,13 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- ./parsers/s01-parse/crowdsecurity/teleport-logs.yaml
+scenarios:
+- ""
+postoverflows:
+- ""
+log_file: teleport-logs.log
+log_type: teleport
+labels: {}
+ignore_parsers: false
+override_statics: []
diff --git a/.tests/teleport-logs/parser.assert b/.tests/teleport-logs/parser.assert
new file mode 100644
index 00000000000..01ea9f4c9bc
--- /dev/null
+++ b/.tests/teleport-logs/parser.assert
@@ -0,0 +1,65 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "{\"ei\":0,\"event\":\"user.login\",\"uid\":\"a487975c-a132-4b76-81c1-225284b2a129\",\"code\":\"T1000W\",\"time\":\"2023-09-05T07:16:25.133Z\",\"cluster_name\":\"teleport.home.example.com\",\"user\":\"Bekekrb\",\"success\":false,\"error\":\"invalid username, password or second factor\",\"method\":\"local\",\"user_agent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\",\"addr.remote\":\"172.19.0.2:34204\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "teleport"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "teleport-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
+len(results["s01-parse"]["crowdsecurity/teleport-logs"]) == 1
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Parsed["message"] == "{\"ei\":0,\"event\":\"user.login\",\"uid\":\"a487975c-a132-4b76-81c1-225284b2a129\",\"code\":\"T1000W\",\"time\":\"2023-09-05T07:16:25.133Z\",\"cluster_name\":\"teleport.home.example.com\",\"user\":\"Bekekrb\",\"success\":false,\"error\":\"invalid username, password or second factor\",\"method\":\"local\",\"user_agent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\",\"addr.remote\":\"172.19.0.2:34204\"}"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Parsed["program"] == "teleport"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["datasource_path"] == "teleport-logs.log"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["log_type"] == "auth_failed"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["service"] == "teleport"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["source_ip"] == "172.19.0.2"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["sub_type"] == "user.login"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["success"] == "false"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Meta["user"] == "Bekekrb"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["user"] == "Bekekrb"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["addr.remote"] == "172.19.0.2:34204"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["code"] == "T1000W"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["ei"] == 0
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["error"] == "invalid username, password or second factor"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["success"] == false
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["uid"] == "a487975c-a132-4b76-81c1-225284b2a129"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["cluster_name"] == "teleport.home.example.com"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["event"] == "user.login"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["method"] == "local"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["time"] == "2023-09-05T07:16:25.133Z"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Unmarshaled["teleport"]["user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results["s01-parse"]["crowdsecurity/teleport-logs"][0].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"ei\":0,\"event\":\"user.login\",\"uid\":\"a487975c-a132-4b76-81c1-225284b2a129\",\"code\":\"T1000W\",\"time\":\"2023-09-05T07:16:25.133Z\",\"cluster_name\":\"teleport.home.example.com\",\"user\":\"Bekekrb\",\"success\":false,\"error\":\"invalid username, password or second factor\",\"method\":\"local\",\"user_agent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\",\"addr.remote\":\"172.19.0.2:34204\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "teleport"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "teleport-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "auth_failed"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "teleport"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "172.19.0.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["sub_type"] == "user.login"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["success"] == "false"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-09-05T07:16:25.133Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "Bekekrb"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-09-05T07:16:25.133Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["uid"] == "a487975c-a132-4b76-81c1-225284b2a129"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["user_agent"] == "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["cluster_name"] == "teleport.home.example.com"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["method"] == "local"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["time"] == "2023-09-05T07:16:25.133Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["error"] == "invalid username, password or second factor"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["event"] == "user.login"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["success"] == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["user"] == "Bekekrb"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["addr.remote"] == "172.19.0.2:34204"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["code"] == "T1000W"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["teleport"]["ei"] == 0
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/teleport-logs/scenario.assert b/.tests/teleport-logs/scenario.assert
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/.tests/teleport-logs/teleport-logs.log b/.tests/teleport-logs/teleport-logs.log
new file mode 100644
index 00000000000..707521113e4
--- /dev/null
+++ b/.tests/teleport-logs/teleport-logs.log
@@ -0,0 +1 @@
+{"ei":0,"event":"user.login","uid":"a487975c-a132-4b76-81c1-225284b2a129","code":"T1000W","time":"2023-09-05T07:16:25.133Z","cluster_name":"teleport.home.example.com","user":"Bekekrb","success":false,"error":"invalid username, password or second factor","method":"local","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1","addr.remote":"172.19.0.2:34204"}
diff --git a/collections/crowdsecurity/teleport.md b/collections/crowdsecurity/teleport.md
new file mode 100644
index 00000000000..744901257bd
--- /dev/null
+++ b/collections/crowdsecurity/teleport.md
@@ -0,0 +1,37 @@
+Teleport collection includes:
+- JSON Parser
+- Authentication bruteforce scenarios for webui and tsh
+- Impossible travel detection
+
+Teleport supports multiple storage backends for storing audit events. The `dir` backend uses the local filesystem of an Auth Service host. When this backend is used, events are written to the filesystem in JSON format. The dir backend rotates the event file approximately once every 24 hours, but never deletes captured events.
+
+Example acquisition:
+
+```yaml
+filenames:
+  - /var/lib/teleport/log/*.log
+labels:
+  type: teleport
+```
+
+### Impossible travel remediation
+
+The reason why we have set remediation to false by default is we don't want to lock out legitimate users and want you to fully understand how the collection works before you jump in feet first.
+
+You can enable remediation by setting remediation label within crowdsecurity/impossible-travel.yaml to true within the scenarios folder.
+
+You can enable user remediation by setting remediation label within crowdsecurity/impossible-travel-user.yaml to true within the scenarios folder and you must add a profiles to handle this scope example:
+
+```yaml
+#/etc/crowdsec/profiles.yaml.local
+name: username_temp_ban
+filters:
+ - 'Alert.Remediation == true && Alert.GetScope() == "username"'
+decisions:
+  - type: tempban
+    scope: "username"
+    duration: 12h
+on_success: break
+```
+
+#### However, most bouncers dont know how to handle user remediation I will append a blog post on how to handle this in the future.
\ No newline at end of file
diff --git a/collections/crowdsecurity/teleport.yaml b/collections/crowdsecurity/teleport.yaml
new file mode 100644
index 00000000000..ab273b9803d
--- /dev/null
+++ b/collections/crowdsecurity/teleport.yaml
@@ -0,0 +1,11 @@
+parsers:
+  - crowdsecurity/teleport-logs
+scenarios:
+  - crowdsecurity/teleport-bf
+  - crowdsecurity/impossible-travel
+  - crowdsecurity/impossible-travel-user
+description: "Teleport support : parser and brute-force detection"
+author: crowdsecurity
+tags:
+  - teleport
+  - bruteforce
diff --git a/parsers/s01-parse/crowdsecurity/teleport-logs.md b/parsers/s01-parse/crowdsecurity/teleport-logs.md
new file mode 100644
index 00000000000..c009ea95528
--- /dev/null
+++ b/parsers/s01-parse/crowdsecurity/teleport-logs.md
@@ -0,0 +1 @@
+A parser for teleport json logs
\ No newline at end of file
diff --git a/parsers/s01-parse/crowdsecurity/teleport-logs.yaml b/parsers/s01-parse/crowdsecurity/teleport-logs.yaml
new file mode 100644
index 00000000000..7af8d792908
--- /dev/null
+++ b/parsers/s01-parse/crowdsecurity/teleport-logs.yaml
@@ -0,0 +1,24 @@
+name: crowdsecurity/teleport-logs
+description: "Parse teleport logs"
+filter: "evt.Parsed.program == 'teleport' && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, 'teleport') in ['', nil]"
+#debug: true
+onsuccess: next_stage
+statics:
+  - meta: service
+    value: teleport
+  - meta: sub_type
+    expression: evt.Unmarshaled.teleport.event
+  - meta: success
+    expression: "evt.Unmarshaled.teleport.success ? 'true' : 'false'"
+## Set for impossible travel scenario
+  - meta: log_type
+    expression: "evt.Unmarshaled.teleport.success ? 'auth_success' : 'auth_failed'"
+##Converting a bool with sprintf is very slow, so we use a ternary expression
+  - target: evt.StrTime
+    expression: evt.Unmarshaled.teleport.time
+  - meta: user
+    expression: evt.Unmarshaled.teleport.user
+  - meta: source_ip
+    expression: Split(evt.Unmarshaled.teleport["addr.remote"], ':')[0]
+  - meta: http_user_agent
+    expression: evt.Unmarshaled.teleport["user_agent"]
\ No newline at end of file
diff --git a/scenarios/crowdsecurity/teleport-bf.md b/scenarios/crowdsecurity/teleport-bf.md
new file mode 100644
index 00000000000..5cc8553784f
--- /dev/null
+++ b/scenarios/crowdsecurity/teleport-bf.md
@@ -0,0 +1 @@
+Scenarios to detect teleport authentication bruteforce attacks.
\ No newline at end of file
diff --git a/scenarios/crowdsecurity/teleport-bf.yaml b/scenarios/crowdsecurity/teleport-bf.yaml
new file mode 100644
index 00000000000..46f6181a9ba
--- /dev/null
+++ b/scenarios/crowdsecurity/teleport-bf.yaml
@@ -0,0 +1,43 @@
+type: leaky
+name: crowdsecurity/teleport-bf
+description: "detect teleport bruteforce"
+filter: | 
+  evt.Meta.service == 'teleport' &&
+  evt.Meta.sub_type in ['auth', 'user.login'] &&
+  evt.Meta.success == 'false'
+groupby: evt.Meta.source_ip
+capacity: 5
+leakspeed: "10s"
+blackhole: 5m
+labels:
+ service: teleport
+ type: bruteforce
+ remediation: true
+ confidence: 3
+ spoofable: 0
+ classification:
+    - attack.T1110
+ label: "Teleport Bruteforce"
+ behavior: "teleport:bruteforce"
+---
+type: leaky
+name: crowdsecurity/teleport-slow-bf
+description: "detect slow teleport bruteforce"
+filter: | 
+  evt.Meta.service == 'teleport' &&
+  evt.Meta.sub_type in ['auth', 'user.login'] &&
+  evt.Meta.success == 'false'
+groupby: evt.Meta.source_ip
+capacity: 10
+leakspeed: 1m
+blackhole: 5m
+labels:
+ service: teleport
+ type: bruteforce
+ remediation: true
+ confidence: 3
+ spoofable: 0
+ classification:
+    - attack.T1110
+ label: "Teleport Bruteforce"
+ behavior: "teleport:bruteforce"
\ No newline at end of file