Please consider adding an event ID 8004 as it is also related to bruteforce topic. 8004 is a dedicated event for NTLM-family protocol credentials validation requests. It generates for both successful and unsuccessful authentication requests.

https://books.google.com/books?id=oEJRDwAAQBAJ&pg=PA346&lpg=PA346&dq=8004+is+a+dedicated+event+for+NTLM-family+protocol+credentials+validation+requests.+It+generates+for+both+successful+and+unsuccessful+authentication+requests.&source=bl&ots=rvLvJ1miTm&sig=ACfU3U0qF8GYJRb4ybKUhT0B_igM6WXicw&hl=en&sa=X&ved=2ahUKEwj3orPdqb_jAhWJKM0KHUf5C9QQ6AEwAHoECAkQAQ#v=onepage&q=8004%20is%20a%20dedicated%20event%20for%20NTLM-family%20protocol%20credentials%20validation%20requests.%20It%20generates%20for%20both%20successful%20and%20unsuccessful%20authentication%20requests.&f=false

Hi @OxD30bfu5c470R . Thanks for the feedback. ID 8004 (and others below) can be used for deeper NTLM analysis, troubleshooting or migration purposes. However If the intention is to collect them for security purposes (eg: in a SIEM), I would rather suggest to focus on ID 4776 (failures only) and 4625. So far, the mindmap has been updated to reflect your proposal.

8001 | NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
8002 | NTLM traffic that would be blocked
8003 | NTLM server blocked in the domain audit: Audit NTLM authentication in this domain
8004 | Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.