I’ve stumbled on a great article by Brandon Wilson named Demystifying Schannel on which he explains how we can enable verbose logging for Schannel to found out what protocols our machines are using. As I leave and breathe Log Analytics and love to crunch data I thought would be cool example if we can ingest that data into it and show you some cool example with the new query language on transforming data.
So first a few important things:
- In the article you can find out how to enable the verbose logging for Schannel and you can use the procedure to enable it on multiple machines
- After that is enabled you can simply add the System log into data sources if it is not added already
- I would strongly suggest to enable this for only short period 1-2 hours maximum to avoid big increase in your Log Analytics usage. 1-2 hours should be enough to get a good sample across your environment what protocol is being used.
After the above you could just wait until the data is in your Log Analytics workspace. When you have the data you can query it:
Event
| where EventID == 36880
As we can see the data is not very well formatted. It will be a struggle if we try to make some sense out of it in its current state. But do not worry. With the new language we can easily transform the data by using parse:
Event
| where EventID == 36880
| parse kind=relaxed EventData with * “<Protocol>” Protocol ‘</Protocol><CipherSuite>’ CipherSuite ‘</CipherSuite><ExchangeStrength>’ ExchangeStrength ‘</ExchangeStrength><ContextHandle>’ ContextHandle ‘</ContextHandle><TargetName>’ TargetName ‘</TargetName><LocalCertSubjectName>’ LocalCertSubjectName ‘</LocalCertSubjectName><RemoteCertSubjectName>’ RemoteCertSubjectName ‘</RemoteCertSubjectName>’ *
| sort by TimeGenerated desc
| project Computer, TimeGenerated, Protocol, CipherSuite, ExchangeStrength, ContextHandle, TargetName, RemoteCertSubjectName, UserName
With this query we get completely different picture. Now that the data is transformed we can do some summarization on it:
Event
| where EventID == 36880
| parse kind=relaxed EventData with * “<Protocol>” Protocol ‘</Protocol><CipherSuite>’ CipherSuite ‘</CipherSuite><ExchangeStrength>’ ExchangeStrength ‘</ExchangeStrength><ContextHandle>’ ContextHandle ‘</ContextHandle><TargetName>’ TargetName ‘</TargetName><LocalCertSubjectName>’ LocalCertSubjectName ‘</LocalCertSubjectName><RemoteCertSubjectName>’ RemoteCertSubjectName ‘</RemoteCertSubjectName>’ *
| sort by TimeGenerated desc
| summarize count() by Protocol | render piechart
and
Event
| where EventID == 36880
| parse kind=relaxed EventData with * “<Protocol>” Protocol ‘</Protocol><CipherSuite>’ CipherSuite ‘</CipherSuite><ExchangeStrength>’ ExchangeStrength ‘</ExchangeStrength><ContextHandle>’ ContextHandle ‘</ContextHandle><TargetName>’ TargetName ‘</TargetName><LocalCertSubjectName>’ LocalCertSubjectName ‘</LocalCertSubjectName><RemoteCertSubjectName>’ RemoteCertSubjectName ‘</RemoteCertSubjectName>’ *
| sort by TimeGenerated desc
| where Protocol != ‘TLS 1.2’
| summarize count() by RemoteCertSubjectName | render piechart
This is the power the power of Log Analytics – Analyze data with ease.
I hope this example would be helpful for you.
Cloud Administrator in Azure World 
Nice article, thanks. Btw the Demystifying Schannel article moved to: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233