Most identity threat detection strategies I see are built around the wrong events. Teams collect every security event, build elaborate dashboards showing "Total Logons" and "Failed Password Attempts," and wonder why they're not finding attackers.

Here's the truth: You don't need all the events. You need the right events — the ones that actually indicate identity compromise, privilege escalation, or lateral movement. I'm going to give you the 15 event IDs that matter most for identity security, what they mean in real terms, and how to detect the attacks they reveal.

The Attack Categories

Let me structure this by attack type, not event ID. This is how attackers think — not in terms of Microsoft's event numbering scheme, but in terms of objectives. Your detection should match that.

1. Credential Harvesting Events

This category covers attackers getting your credentials — through phishing, password spraying, brute force, or credential dumping.

Event ID 4625 — Logon Failure

This is your first line of defense. Every failed logon attempt generates this event. But here's what matters:

# Suspicious 4625 patterns: # 1. Multiple failures from same source IP to different usernames (password spray) # 2. Failures to privileged accounts (Domain Admin, Enterprise Admin) # 3. Failures during off-hours with failed logons from the same account # PowerShell to detect password spraying Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} | Where { $_.Properties[19].Value -notlike "*-" } | Group-Object Properties[19].Value,Properties[18].Value | Where { $_.Count -gt 5 } | Select Name,Count

Event ID 4776 — NTLM Authentication Attempt

NTLM is the gift that keeps on giving for attackers. It doesn't require Kerberos pre-authentication, it's susceptible to pass-the-hash attacks, and it's often the only authentication method that works when others are blocked.

You should be blocking NTLM by default and only allowing it where absolutely necessary. Event 4776 tells you when NTLM is being used.

# Find NTLM authentications to sensitive resources Get-WinEvent -FilterHashtable @{LogName='Security';ID=4776} | Select TimeCreated, @{N='TargetAccount';E={$_.Properties[0].Value}}, @{N='Workstation';E{$_.Properties[1].Value}}, @{N='AuthenticationPackage';E{$_.Properties[2].Value}}

Event ID 4670 — Security Token Request

This event shows when Kerberos service tickets are requested. Look for unusual patterns:

2. Kerberoasting Events

Kerberoasting is when an attacker requests a service ticket for a service account with a servicePrincipalName (SPN) and cracks it offline. The attack doesn't require privileged access — just the ability to query AD for SPNs.

Event ID 4768 — Kerberos Ticket Granting Ticket (TGT) Request

This is the TGT request event. Look for:

# Find users requesting tickets for SPN-enabled accounts $ticketRequests = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4768} | Where-Object { $_.Properties[0].Value -match "krbtgt" -or $_.Properties[7].Value -notlike "*$" } # Cross-reference with SPN-enabled accounts Get-ADUser -Filter {ServicePrincipalName -ne $null} -Properties ServicePrincipalName | Where-Object { $spnUser = $_.SamAccountName $ticketRequests | Where { $_.Properties[0].Value -like "*$spnUser*" } } | Select Name,SamAccountName,ServicePrincipalName

Event ID 4769 — Kerberos Service Ticket Request

This is the actual service ticket request. When combined with 4768, it tells you the full Kerberoasting attack pattern:

  1. User requests TGT (4768)
  2. User requests service ticket for SPN-enabled account (4769)

Event 4769 includes the ticket encryption type. RC4_HMAC_MD5 is suspicious — AES would be normal for modern systems.

# Find RC4 ticket requests (suspicious for Kerberoasting) Get-WinEvent -FilterHashtable @{LogName='Security';ID=4769} | Where-Object { $_.Properties[3].Value -eq "RC4_HMAC_MD5" } | Select TimeCreated, @{N='ServiceName';E={$_.Properties[4].Value}}, @{N='ClientAccount';E{$_.Properties[0].Value}} |

3. AS-REP Roasting Events

AS-REP roasting targets accounts with "Do not require Kerberos pre-authentication" enabled. These accounts can have their initial authentication response (AS-REP) captured and cracked offline.

Event ID 4768 — With Preauth Disabled Flag

When a user requests a TGT without pre-authentication, the event shows SpecialServices = 4 (this means no pre-auth required). This is your AS-REP roasting target.

Event ID 4624 — Successful Logon with TicketType = 0

Event ID 4624 shows successful logons. When TicketType = 0, it means no pre-authentication was required — that's your AS-REP roasting victim.

# Find accounts with pre-auth disabled Get-ADUser -Filter {DontReqPreauth -eq $true} -Properties DontReqPreauth | Select Name,SamAccountName,DontReqPreauth # Find successful logons without pre-auth Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} | Where-Object { $_.Properties[17].Value -eq "0" } |

4. Lateral Movement Events

This category covers attackers moving from one system to another using stolen credentials.

Event ID 4624 — Successful Logon Type 3 (Network)

Type 3 logons are network connections — SMB, RDP, WinRM, etc. Look for:

# Find servers making multiple network connections Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} | Where-Object { $_.Properties[8].Value -eq "S-1-5-21-*-513" } | # Domain Users group Group-Object Properties[18].Value,Properties[5].Value | Where-Object { $_.Count -gt 10 } |

Event ID 4672 — Special Privileges Assigned

This event shows when special privileges like SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege are assigned. These are the privileges needed for token impersonation attacks.

# Find privilege assignments to service accounts Get-WinEvent -FilterHashtable @{LogName='Security';ID=4672} | Where-Object { $_.Properties[1].Value -match "Service" } |

5. DCSync Events

DCSync is when an attacker simulates a domain controller replication to extract password hashes. This doesn't require direct DC access — just the right permissions (Replicate Directory Changes).

Event ID 4662 — Operation on an Object

This is the key event for detecting DCSync. Look for replication operations:

# Find DCSync-like activity Get-WinEvent -FilterHashtable @{LogName='Security';ID=4662} | Where-Object { $_.Properties[3].Value -match "DS-Replication" } | Select TimeCreated, @{N='SubjectAccount';E={$_.Properties[1].Value}}, @{N='TargetObject';E{$_.Properties[5].Value}}, @{N='OperationType';E{$_.Properties[3].Value}}

Event ID 5136 — Directory Service Object Change

This event shows when AD objects are modified. Look for:

# Monitor privileged group changes Get-WinEvent -FilterHashtable @{LogName='Security';ID=5136} | Where-Object { $_.Properties[8].Value -match "Domain Admins|Enterprise Admins" } |

My Detection Stack

Here's my actual detection configuration from real engagements:

Attack Type Key Events Correlation Rule
Password Spray 4625 >5 failures in <5 min to different accounts from same IP
Kerberoasting 4768, 4769 TGT request followed by service ticket for SPN-enabled account
AS-REP Roasting 4768 (SpecialServices=4) TGT request without pre-authentication
DCSync 4662 (DS-Replication) Non-DC accessing replication operations
Lateral Movement 4624 (Type=3) Multiple systems accessed in <10 min from single source

Final Thought

You don't need to collect every security event. You need the right events, monitored for the right patterns. Start with these 15 event IDs and build your detection around actual attack patterns, not Microsoft's internal numbering scheme.

The attackers aren't looking at Event IDs — they're thinking about what they want to achieve (credentials, access, persistence). Your detection should mirror that thinking. Identify the attack objectives first, then find the events that reveal those objectives.

Once you have these 15 events monitored correctly, you'll be surprised how many attacks you catch — and how few false positives you get. It's not about quantity; it's about relevance.