Key Windows Security Event IDs: 4624 (successful logon), 4625 (failed logon), 4648 (logon with explicit credentials), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created).
Event ID 4625 + multiple accounts = password spray. 4648 = lateral movement indicator. 4688 with full command line logging reveals malicious commands. Forward Security event log to SIEM. Enable command line logging in audit policy for process creation.