Key IDs: 4624 (logon success), 4625 (logon failure), 4648 (explicit credential logon), 4672 (admin privilege assigned), 4688 (process creation), 4698 (scheduled task created), 4719 (audit policy changed).
4625 spike = brute force. 4648 = lateral movement indicator. 4688 with command line logging = malicious command detection. 4698 = new scheduled task (persistence). Forward Security log to SIEM. Enable command line logging in audit policy for 4688 to be useful.