Is it possible to monitor NTLMv1 relatd alerts through SCOM

shankar431 471 Reputation points
2020-12-22T14:07:10.453+00:00

Hi,

Is it possible to detect NTLMv1 Security related alerts and reports through SCOM.
If so can anyone help us how we can do this.
We tried running SQL query in ACS database to get the failed to logon users list with authentication type NTLMv1 with the Event 4625. But we did not get any results.

Regards,
Ravi Shankar

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,430 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Leon Laude 85,691 Reputation points
    2020-12-22T14:19:56.667+00:00

    Hi @shankar431 ,

    I would say this is more of an auditing requirement and not a monitoring requirement, you can always create custom rules that monitor events related to the NTLMv1 such as event 4625.

    I would however really suggest doing it some other way instead of SCOM (some other tool) as security events are written in very high frequency, especially on Domain Controllers, which may flood your SCOM environment which then again could result in a backlog.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Best regards,
    Leon

    0 comments No comments

  2. CyrAz 5,181 Reputation points
    2020-12-22T14:30:59.623+00:00

    You can create an alerting rule on events without actually collecting the events, though ;)

    0 comments No comments

  3. Crystal-MSFT 44,841 Reputation points Microsoft Vendor
    2020-12-23T01:53:06.27+00:00

    @shankar431 , Agree with Leon and CyrilAzoulay, we can create alert based on Windows event for NTLMv1.

    We can firstly check the event id generated for NTLMv1. And then search the event id in the following link to find which parameter has NTLMv1 mentioned. For event id 4624, if the NTLMv1 included in the Package Name(NTLM only, we can use Parameter 15 as the filter.
    https://www.windows-security.org/windows-event-id/4624-an-account-was-successfully-logged-on
    Note: Non-Microsoft link, just for the reference.

    Then we can consider creating event alert according to the following link:
    https://social.technet.microsoft.com/wiki/contents/articles/23478.scom-2012-create-alert-monitor-based-on-windows-event-administrator-login-alert.aspx

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.