Forum Discussion

kuglidani's avatar
kuglidani
Copper Contributor
Nov 28, 2025

IdentityLogonEvents - IsNtlmV1

Hi, I cannot find documentation on how the IdentityLogonEvents table's AdditionalFields.IsNtlmV1 populated. In a demo environment, I intentionally "enforced" NTLMv1 and made an NTLMv1 connection to...
logging
Sensor
kuglidani's avatar
kuglidani
Copper Contributor
Feb 18, 2026

Hi!

Thank you for this very detailed explanation. I tried to reproduce the issue and capture network packets.

What I see so far:

NTLM v2 - this one is clear, posting just to compare:
- LM response length: 24
NTLM response: 332 inlcudes NTLMv2 response field
- negotiate flags: 0xe2888215

NTLM v1:
- LM response length: 24
- NTLM response length: 24
- Negotiate flags: 0xe2888215

[some info redacted]


The nego flags include "Negotiate Extended Security" = 1 (Set)
Based on what you wrote, Extended security is typically used in NTLMv2, but all the other characteristics seem to be NTLMv1. What am I missing?

(Initiating NTLMv1 client is a Windows Server 2016, lmCompatibilityLevel is set to 0)

RyanSteele-CoV's avatar
RyanSteele-CoV
Steel Contributor
Feb 18, 2026

I believe the individual who replied to your question generated their response using an AI tool. Given the technical nature of your inquiry, it would not surprise me if the answer provided was a hallucination. (I'm not saying it definitely is, but you may want to treat its accuracy with some skepticism.)

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Feb 19, 2026

    Ryan, thank you for your comment.

     

    The explanation I shared is based on the documented behavior of Microsoft Defender for Identity, specifically how the sensor classifies NTLMv1 based on the structure of the NTLMSSP handshake observed in the traffic, and not on the Event ID 4624 label.

     

    The central point is that the AdditionalFields.IsNtlmV1 field in IdentityLogonEvents is not derived from the Windows security log, but rather from the inspection of the NTLM AUTHENTICATE message captured by the sensor. The distinction between NTLMv1 and NTLMv2 depends on the response structure (24-byte NT response vs. presence of NTLMv2 blob/AV pairs/HMAC), and not just the “Package Name (NTLM only)” field displayed in 4624.

     

    If there is additional official documentation that describes the sensor's internal classification mechanism differently, I would be happy to review it. The goal here is to understand exactly under what conditions IsNtlmV1 is set to true.

     

    I appreciate any additional technical insights.

    • RyanSteele-CoV's avatar
      RyanSteele-CoV
      Steel Contributor
      Feb 24, 2026

      Lucaraheller​, I think kuglidani​ would find it helpful if you shared a link to the documentation you are referring to when you mention "the documented behavior of Microsoft Defender for Identity, specifically how the sensor classifies NTLMv1 based on the structure of the NTLMSSP handshake observed in the traffic".

      • Lucaraheller's avatar
        Lucaraheller
        MCT
        Feb 27, 2026

        Ryan, thank you for the suggestion.

        You are absolutely right to ask for the documentation reference. To clarify, my statement was based on how Microsoft Defender for Identity analyzes NTLM traffic at the protocol level rather than on a specific public document that explicitly describes the internal classification logic for the IsNtlmV1 field.

        The understanding comes from how NTLMSSP works: NTLMv1 and NTLMv2 can be distinguished by examining the structure of the NTLM AUTHENTICATE message, specifically the NT response format (24-byte NT response in NTLMv1 versus NTLMv2 response structure with blob, AV pairs, and HMAC). Since Defender for Identity sensors inspect network traffic and parse authentication protocols, the assumption is that the IsNtlmV1 flag is derived from the NTLM response structure observed in the handshake, not solely from Windows Security Event ID 4624 or the “Package Name” field.

        That said, I have not found official Microsoft documentation that explicitly details the exact internal logic used by the sensor to populate AdditionalFields.IsNtlmV1 in IdentityLogonEvents. If such documentation exists, I would genuinely appreciate a reference to it.

        My goal here is to understand precisely which conditions and parsing rules cause IsNtlmV1 to be set to true, especially in scenarios where event 4624 may not clearly differentiate between NTLMv1 and NTLMv2.

        Thanks again for pushing for clarification.

    • kuglidani's avatar
      kuglidani
      Copper Contributor
      Feb 20, 2026

      Hi!

      I understand that MDI is not parsing the log but the network packet. Can you please let me know if the captured packets I shared above are sufficent to decide if it is NTLMv1 or V2 from the MDI perspective? Let me know if additional input is required, I'm happy to do other tests as I really want to understand the mechanism.

      Thank you in advance