I'm trying to find endpoints with NTLMv1 authentications over the network to examine the possibility of using NTLMv2 instead previous one. Eventually, I'm going to ban authentication over NTLMv1.

I examined NTLM/Operational log but the events from it don't represent the required info (it consists solely of generic info about NTLM using without any granulations).

Does anybody have any approach to how it is possible to do that?