A user account authenticated to multiple hosts via NTLMv1 or LM authentication for the first time in the past 30 days.
The attacker attempts to gain access to the accounts.
Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned user for additional suspicious activity.