"detect netbios/LLMNR poisoning by having your endpoint agent issue a request for a non-existent resource. Tools like Responder would respond to this request, giving themselves away. I can say from experience that this is great for pinpointing attacker machines. False positives are rare, typically associated with misconfigured routers.

...the Insight agents are instructed to issue queries for non-existent host names over NBT-NS (as the most vulnerable systems would) and any received responses will expose the spoofer

https://blog.rapid7.com/2016/10/19/analytics-by-any-other-name-new-insightidr-detections-released/
https://github.com/Kevin-Robertson/Conveigh"