Event ID 8002 — NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: AuditingNTLM

Description

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.

Message #

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: %1
Calling process name: %2
Calling process LUID: %3
Calling process user identity: %4
Calling process domain identity: %5
Mechanism OID: %6

Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Fields #

Name	Description
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—
`Calling_process_PID` UInt32	—
`Calling_process_name` UnicodeString	—
`Calling_process_LUID` HexInt64	—
`Calling_process_user_identity` UnicodeString	—
`Calling_process_domain_identity` UnicodeString	—
`Mechanism_OID` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "AC43300D-5FCC-4800-8E99-1BD3F85F0320",
    "event_source_name": "",
    "event_id": 8002,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T02:56:00.824258+00:00",
    "event_record_id": 1104,
    "correlation": {
      "ActivityID": "CC8E79E3-F5C5-4F46-89CF-44829F945FA1"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 12064
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CallerPID": 720,
    "ProcessName": "C:\\Windows\\System32\\lsass.exe",
    "ClientLUID": "0x3e4",
    "ClientUserName": "LAB-WIN11$",
    "ClientDomainName": "WORKGROUP",
    "MechanismOID": "(NULL)"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

NTLM Logon source low: Detects logons using NTLM, which could be caused by a legacy source or attackers

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)