What does a missing "Account" field mean in Windows event 4769 (A Kerberos service ticket was requested)?
Solution 1:
Yes, according to the documentation, the Account Name (aka TargetUserName) field on 4769 Kerberos service ticket request events is optional and can sometimes be empty.
With that being said, I checked my AD environment and only ever see that field empty when it is an Audit Failure event. The status codes on the events having the missing account name information include KRB_AP_ERR_TKT_EXPIRED (The ticket has expired), KRB_AP_ERR_BAD_INTEGRITY (Integrity check on decrypted field failed), and KRB_AP_ERR_SKEW (The clock skew is too great).
For Kerberoasting detection, you should only be concerned with the success events. And I'd focus more on the source IP address of the ticket requests.
You may want to consider setting up a honeypot account in your domain with a bogus SPN registered to it and alert on any service ticket requests against that particular SPN. This is explained in more detail on adsecurity.org. This technique is quite powerful because the typical Kerberoasting attack will involve a request of all user accounts having an SPN registered.