No need to guess, the evidence is already there.
I stopped using Event Viewer to check failed logins after discovering this PowerShell trick
A PowerShell script was discovered to bypass native Windows Event Viewer limitations for tracking failed logins, exposing a gap in forensic visibility. Administrators relying solely on Event Viewer for security monitoring may miss critical intrusion indicators, enabling undetected lateral movement or credential stuffing attacks.