Find if You Are Using Only TLS 1.2 Protocol with Log Analytics


I’ve stumbled on a great article by Brandon Wilson named Demystifying Schannel on which he explains how we can enable verbose logging for Schannel to found out what protocols our machines are using. As I leave and breathe Log Analytics and love to crunch data I thought would be cool example if we can ingest that data into it  and show you some cool example with the new query language on transforming data.

So first a few important things:

  • In the article you can find out how to enable the verbose logging for Schannel and you can use the procedure to enable it on multiple machines
  • After that is enabled you can simply add the System log into data sources if it is not added already

  • I would strongly suggest to enable this for only short period 1-2 hours maximum to avoid big increase in your Log Analytics usage. 1-2 hours should be enough to get a good sample across your environment what protocol is being used.

After the above you could just wait until the data is in your Log Analytics workspace. When you have the data you can query it:

Event

| where EventID == 36880

image

As we can see the data is not very well formatted. It will be a struggle if we try to make some sense out of it in its current state. But do not worry. With the new language we can easily transform the data by using parse:

Event

| where EventID == 36880

| parse kind=relaxed EventData with * “<Protocol>” Protocol ‘</Protocol><CipherSuite>’ CipherSuite ‘</CipherSuite><ExchangeStrength>’ ExchangeStrength ‘</ExchangeStrength><ContextHandle>’ ContextHandle ‘</ContextHandle><TargetName>’ TargetName ‘</TargetName><LocalCertSubjectName>’ LocalCertSubjectName ‘</LocalCertSubjectName><RemoteCertSubjectName>’ RemoteCertSubjectName ‘</RemoteCertSubjectName>’ *

| sort by TimeGenerated desc

| project Computer, TimeGenerated, Protocol, CipherSuite, ExchangeStrength, ContextHandle, TargetName, RemoteCertSubjectName, UserName

image

With this query we get completely different picture. Now that the data is transformed we can do some summarization on it:

Event

| where EventID == 36880

| parse kind=relaxed EventData with * “<Protocol>” Protocol ‘</Protocol><CipherSuite>’ CipherSuite ‘</CipherSuite><ExchangeStrength>’ ExchangeStrength ‘</ExchangeStrength><ContextHandle>’ ContextHandle ‘</ContextHandle><TargetName>’ TargetName ‘</TargetName><LocalCertSubjectName>’ LocalCertSubjectName ‘</LocalCertSubjectName><RemoteCertSubjectName>’ RemoteCertSubjectName ‘</RemoteCertSubjectName>’ *

| sort by TimeGenerated desc

| summarize count() by Protocol | render piechart

image

and

Event

| where EventID == 36880

| parse kind=relaxed EventData with * “<Protocol>” Protocol ‘</Protocol><CipherSuite>’ CipherSuite ‘</CipherSuite><ExchangeStrength>’ ExchangeStrength ‘</ExchangeStrength><ContextHandle>’ ContextHandle ‘</ContextHandle><TargetName>’ TargetName ‘</TargetName><LocalCertSubjectName>’ LocalCertSubjectName ‘</LocalCertSubjectName><RemoteCertSubjectName>’ RemoteCertSubjectName ‘</RemoteCertSubjectName>’ *

| sort by TimeGenerated desc

| where Protocol != ‘TLS 1.2’

| summarize count() by RemoteCertSubjectName | render piechart

image

This is the power the power of Log Analytics – Analyze data with ease.

I hope this example would be helpful for you.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s