Hello
Thank you for your question and reaching out. I can understand you are having query\issues related to NTLM Traffic.
These policy settings will report what is using NTLM without blocking anything:
Computer Configuration->Policies->Windows Settings->Security Settings->Security Options->Network security: Restrict NTLM: Audit NTLM authentication in this domain. Policy Setting: Audit All
Computer Configuration->Policies->Windows Settings->Security Settings->Security Options->Network security: Restrict NTLM: Audit Incoming NTLM Traffic. Policy Setting: Enable auditing for all accounts
Computer Configuration->Policies->Windows Settings->Security Settings->Security Options->Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Policy Setting: Audit all
After enabling these policies, Event ID 8001, 8002, 8003, and 8004 will be recorded in Event Viewer under Applications and Services Logs->Microsoft->Windows->NTLM->Operational.
Reference :
--If the reply is helpful, please Upvote and Accept as answer--