This detection rule is designed to identify potential kerberoasting activity on Windows systems. Kerberoasting is a common attack method used by adversaries to compromise service accounts by requesting and subsequently cracking service tickets. The rule captures security events related to Kerberos ticket requests, specifically Event ID 4769, which indicates a service ticket was requested. It filters for requests where the service name ends with 'krbtgt' or contains a dollar sign ($), indicating a service account. The primary aim is to monitor for excessive ticket requests made from a single host or IP address targeting multiple service names within a defined period. This focus allows for the identification of suspicious behavior potentially indicative of kerberoasting attacks. To enhance detection, organizations can set thresholds for the number of requests and the time interval for these requests to generate alerts.