This analytic rule detects potential Kerberoasting attacks by identifying service ticket requests that utilize RC4 encryption, as indicated by specific Ticket_Options values within Windows Event Log Security (Event ID 4769). Kerberoasting is a technique where attackers can request service account tickets and attempt to crack them offline, potentially gaining unauthorized access and escalating privileges in the Active Directory environment. By monitoring these requests, security teams can identify suspicious activities that could indicate an attempt to exploit service accounts. The implementation of this rule requires the ingestion of Domain Controller logs and enabling of specific audit policies to capture relevant events effectively.