IdentityLogonEvents - IsNtlmV1
Hi, I cannot find documentation on how the IdentityLogonEvents table's AdditionalFields.IsNtlmV1 populated. In a demo environment, I intentionally "enforced" NTLMv1 and made an NTLMv1 connection to a domain controller. On the DC's Security log, event ID 4624 shows correct info: Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 On MDI side however it looks like this: (using the following KQL to display relevant info here: IdentityLogonEvents | where ReportId == @"f70dbd37-af8e-4e4e-a77d-b4250f9e0d0b" | extend todynamic(AdditionalFields) | project TimeGenerated, ActionType, Application, LogonType, Protocol,IsNtlmV1 = AdditionalFields.IsNtlmV1 ) TimeGenerated ActionType Application LogonType Protocol IsNtlmV1 Nov 28, 2025 10:43:05 PM LogonSuccess Active Directory Credentials validation Ntlm false Can someone please explain, under which circumstances will the IsNtlmV1 property become "true"? Thank you in advance
DFI/DFE and IdentityQueryEvents DNS events
Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled? This doc - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide#get-schema-information-in-the-security-center - states the IdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in the DeviceNetworkEvents schema table.
No alerts getiing displayed ( DEFENDER FOR IDENTITY )
Hi, so i've recently setup the senor on DC and the status is healthy and running and i'm also able to recieve the test syslog on my SIEM, but i'm not getting any actual alerts on my SIEM or on the Cloud apps portal under the alerts and yes i;ve enabled the cloudapp - identity integration. What could be the issue ? Or How long does it takes for the alerts to actually get displayed once the sensor is deployed ?
