Here is what I have been using to find NTLM v1 authentications:
source=WinEventLog:Security eventtype=windows_logon_success AND AuthenticationPackageName=NTLM AND LmPackageName="NTLM V1"| table Computer, IpAddress, IpPort, AuthenticationPackageName, LmPackageName, LogonProcessName
Keep in mind that if Anonymous logons are allowed, you may also see a number of them in the result list. I have a separate query that filters those results out using the following addition:
AND TargetUserName!="ANONYMOUS LOGON"
... View more