Forum Discussion
IdentityLogonEvents - IsNtlmV1
Hi,
I cannot find documentation on how the IdentityLogonEvents table's AdditionalFields.IsNtlmV1 populated.
In a demo environment, I intentionally "enforced" NTLMv1 and made an NTLMv1 connection to a domain controller.
On the DC's Security log, event ID 4624 shows correct info:
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
On MDI side however it looks like this:
(using the following KQL to display relevant info here:
IdentityLogonEvents
| where ReportId == @"f70dbd37-af8e-4e4e-a77d-b4250f9e0d0b"
| extend todynamic(AdditionalFields)
| project TimeGenerated, ActionType, Application, LogonType, Protocol,IsNtlmV1 = AdditionalFields.IsNtlmV1
)
| TimeGenerated | ActionType | Application | LogonType | Protocol | IsNtlmV1 |
|---|---|---|---|---|---|
| Nov 28, 2025 10:43:05 PM | LogonSuccess | Active Directory | Credentials validation | Ntlm | false |
Can someone please explain, under which circumstances will the IsNtlmV1 property become "true"?
Thank you in advance
No RepliesBe the first to reply