This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
Is it possible to detect NTLMv1 Security related alerts and reports through SCOM.
If so can anyone help us how we can do this.
We tried running SQL query in ACS database to get the failed to logon users list with authentication type NTLMv1 with the Event 4625. But we did not get any results.
Regards,
Ravi Shankar
Hi @shankar431 ,
I would say this is more of an auditing requirement and not a monitoring requirement, you can always create custom rules that monitor events related to the NTLMv1 such as event 4625.
I would however really suggest doing it some other way instead of SCOM (some other tool) as security events are written in very high frequency, especially on Domain Controllers, which may flood your SCOM environment which then again could result in a backlog.
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Best regards,
Leon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
You can create an alerting rule on events without actually collecting the events, though ;)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@shankar431 , Agree with Leon and CyrilAzoulay, we can create alert based on Windows event for NTLMv1.
We can firstly check the event id generated for NTLMv1. And then search the event id in the following link to find which parameter has NTLMv1 mentioned. For event id 4624, if the NTLMv1 included in the Package Name(NTLM only, we can use Parameter 15 as the filter.
https://www.windows-security.org/windows-event-id/4624-an-account-was-successfully-logged-on
Note: Non-Microsoft link, just for the reference.
Then we can consider creating event alert according to the following link:
https://social.technet.microsoft.com/wiki/contents/articles/23478.scom-2012-create-alert-monitor-based-on-windows-event-administrator-login-alert.aspx
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@shankar431 ,Hope things are going well. Did the above suggestions help? If there's anything else we can help, feel free to let us know.