I already started changing my applications that use NTLM v1 in the authentication for NTLM v2.
I still have several event IDs in my DCs that show sessiom NULL with anonymous accounts. after troubleshooting I found that the sessions are done by remote Windows services in my LAN particularly Windows 2008 and less.
The authentication package that is used in those sessions is NTLM V1 like event ID 4624 (Microsoft windows Security Auditing)
Is it possible to force the NTLM V2 rather than NTLM V1 for those anonymous authentication used by Windows services?