I am going to test this and see if it shows up in the logs this week. If it works I will monitor Security Log ID 4625 and alert if it is logged when anything attemps Null Session Enumeration (NSE).
Even if your Domain is setup to block NSE this might be a way to find internal attackers/hackers or poorly written apps that use NSE.
RT