diff --git a/src/afterfact.rs b/src/afterfact.rs
index ddfd183a..51c49bb3 100644
--- a/src/afterfact.rs
+++ b/src/afterfact.rs
@@ -85,10 +85,8 @@ fn test_emit_csv() {
                     "CommandLine": "hoge"
                 },
                 "System": {
-                    "TimeCreated": {
-                        "#attributes":{
-                            "SystemTime": "1996-02-27T01:05:01Z"
-                        }
+                    "TimeCreated_attributes": {
+                        "SystemTime": "1996-02-27T01:05:01Z"
                     }
                 }
             }
diff --git a/src/detections/detection.rs b/src/detections/detection.rs
index d67eb96c..8976bfe5 100644
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -5,7 +5,7 @@ use crate::detections::rule;
 use crate::detections::rule::RuleNode;
 use crate::yaml::ParseYaml;
 use evtx::err;
-use evtx::{EvtxParser, SerializedEvtxRecord};
+use evtx::{EvtxParser, ParserSettings, SerializedEvtxRecord};
 use serde_json::{Error, Value};
 use std::path::PathBuf;
 
@@ -66,6 +66,9 @@ impl Detection {
                 }
             })
             .map(|mut cur| {
+                let mut parse_config = ParserSettings::default();
+                parse_config = parse_config.separate_json_attributes(true);
+                cur = cur.with_configuration(parse_config);
                 let ret: Vec<err::Result<SerializedEvtxRecord<String>>> =
                     cur.records_json().collect();
                 return ret;
diff --git a/src/detections/print.rs b/src/detections/print.rs
index 5bfc235d..0f570e30 100644
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -120,8 +120,7 @@ impl Message {
     }
 
     fn get_event_time(event_record: &Value) -> Option<DateTime<Utc>> {
-        let system_time =
-            &event_record["Event"]["System"]["TimeCreated"]["#attributes"]["SystemTime"];
+        let system_time = &event_record["Event"]["System"]["TimeCreated_attributes"]["SystemTime"];
         let system_time_str = system_time.as_str().unwrap_or("");
         if system_time_str.is_empty() {
             return Option::None;
@@ -157,10 +156,8 @@ mod tests {
                     "CommandLine": "hoge"
                 },
                 "System": {
-                    "TimeCreated": {
-                        "#attributes":{
-                            "SystemTime": "1996-02-27T01:05:01Z"
-                        }
+                    "TimeCreated_attributes": {
+                        "SystemTime": "1996-02-27T01:05:01Z"
                     }
                 }
             }
@@ -180,10 +177,8 @@ mod tests {
                 "CommandLine": "hoge"
             },
             "System": {
-                "TimeCreated": {
-                    "#attributes":{
-                        "SystemTime": "1996-02-27T01:05:01Z"
-                    }
+                "TimeCreated_attributes": {
+                    "SystemTime": "1996-02-27T01:05:01Z"
                 }
             }
         }
@@ -203,10 +198,8 @@ mod tests {
                 "CommandLine": "hoge"
             },
             "System": {
-                "TimeCreated": {
-                    "#attributes":{
-                        "SystemTime": "2000-01-21T09:06:01Z"
-                    }
+                "TimeCreated_attributes": {
+                    "SystemTime": "2000-01-21T09:06:01Z"
                 }
             }
         }