Clarification on NTLM Authentication Events (Event ID 4625 & 4624) in SOC Monitoring

Hello,

While monitoring authentication events in the SOC, I frequently encounter multiple failed (Event ID: 4625) and successful (Event ID: 4624) login attempts associated with NTLM authentication.

Upon investigating the affected machine, I found no active NTFS shares or resources being accessed. Despite this, NTLM events continue to appear in the logs.

I’m trying to understand what might be triggering these events. Could this be related to background processes, service accounts, or another NTLM authentication mechanism? Although this is a low-level incident, I’d like to fully grasp the cause to rule out any potential security concerns.

I’d appreciate any insights you can provide!

Thank you.