NTLM Authentication Audit

Security Analysis Report • Generated: 02/03/2026 02:40:24

28 Events Detected

Unique Devices

4
Workstations using NTLM

Total Events

28
Logon events scanned

Top Offender

CM1
Highest NTLM usage

Device Communication Log

Time Workstation User Account IP Address Auth Package Status
2025-10-14 19:45 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:45 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:45 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:45 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:35 GW1 CORP\LabAdmin 10.0.0.254 NTLM NTLM Auth
2025-10-14 19:35 GW1 CORP\LabAdmin 10.0.0.254 NTLM NTLM Auth
2025-10-14 19:35 GW1 CORP\LabAdmin 10.0.0.254 NTLM NTLM Auth
2025-10-14 19:35 GW1 CORP\LabAdmin 10.0.0.254 NTLM NTLM Auth
2025-10-14 19:35 GW1 CORP\LabAdmin 10.0.0.254 NTLM NTLM Auth
2025-10-14 19:35 GW1 CORP\LabAdmin 10.0.0.254 NTLM NTLM Auth
2025-10-14 19:34 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:34 MDT1 CORP\LabAdmin 10.0.0.8 NTLM NTLM Auth
2025-10-14 19:34 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:34 MDT1 CORP\LabAdmin 10.0.0.8 NTLM NTLM Auth
2025-10-14 19:34 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:34 MDT1 CORP\LabAdmin 10.0.0.8 NTLM NTLM Auth
2025-10-14 19:34 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:34 MDT1 CORP\LabAdmin 10.0.0.8 NTLM NTLM Auth
2025-10-14 19:34 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:34 MDT1 CORP\LabAdmin 10.0.0.8 NTLM NTLM Auth
2025-10-14 19:34 CM1 CORP\LabAdmin 10.0.0.7 NTLM NTLM Auth
2025-10-14 19:34 MDT1 CORP\LabAdmin 10.0.0.8 NTLM NTLM Auth
2025-10-14 19:34 APP1 CORP\LabAdmin 10.0.0.9 NTLM NTLM Auth
2025-10-14 19:34 APP1 CORP\LabAdmin 10.0.0.9 NTLM NTLM Auth
2025-10-14 19:34 APP1 CORP\LabAdmin 10.0.0.9 NTLM NTLM Auth
2025-10-14 19:34 APP1 CORP\LabAdmin 10.0.0.9 NTLM NTLM Auth
2025-10-14 19:34 APP1 CORP\LabAdmin 10.0.0.9 NTLM NTLM Auth
2025-10-14 19:34 APP1 CORP\LabAdmin 10.0.0.9 NTLM NTLM Auth

Top NTLM Devices

CM1 10 events
APP1 6 events
MDT1 6 events
GW1 6 events

Recommendation

Investigate the top devices. NTLM is less secure than Kerberos. Check if these are legacy systems, misconfigured applications, or external connections.

Top Affected Users