Skip to content

Instantly share code, notes, and snippets.

@merill

merill/Get-LowTls.kql

Last active January 31, 2022 21:01
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save merill/379c76c3fa4b6c003207ede4f9a5406d to your computer and use it in GitHub Desktop.
Save merill/379c76c3fa4b6c003207ede4f9a5406d to your computer and use it in GitHub Desktop.
Download ZIP
Gets a list of sign-ins that use older versions of TLS. This can be queried using either PowerShell or by querying log analytics. Learn more about AAD TLS deprecation today https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#overview-of-new-telemetry-in-the-sign-in-logs
Raw
Get-LowTls.kql
// Interactive sign-ins only
SigninLogs
| where AuthenticationProcessingDetails has "Legacy TLS"
and AuthenticationProcessingDetails has "True"
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails)
| mv-apply JsonAuthProcDetails on (
where JsonAuthProcDetails.key startswith "Legacy TLS"
| project HasLegacyTls=JsonAuthProcDetails.value
)
| where HasLegacyTls == true
// Non-interactive sign-ins
AADNonInteractiveUserSignInLogs
| where AuthenticationProcessingDetails has "Legacy TLS"
and AuthenticationProcessingDetails has "True"
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails)
| mv-apply JsonAuthProcDetails on (
where JsonAuthProcDetails.key startswith "Legacy TLS"
| project HasLegacyTls=JsonAuthProcDetails.value
)
| where HasLegacyTls == true
Raw
Get-LowTls.ps1
# Pre-requisites
# Install-Module Microsoft.Graph
$tId = "nnnnn" #tenant ID
$agoDays = 4 #will filter the log for $agoDays from current date/time
$startDate = (Get-Date).AddDays(-($agoDays)).ToString('yyyy-MM-dd') #calculate start date for filter
$pathForExport = "./" #path to local filesystem for export of CSV file
Connect-MgGraph -TenantId $tId -Scopes "AuditLog.Read.All" #could also use Directory.Read.All
Select-MgProfile "beta" #Low TLS available in MS Graph preview endpoint
$signInsInteractive = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and (authenticationProcessingDetails/any(x:x/key eq 'legacy tls (tls 1.0, 1.1, 3des)' and x/value eq '1'))" -All
$signInsNonInteractive = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and signInEventTypes/any(t: t eq 'nonInteractiveUser') and (authenticationProcessingDetails/any(x:x/key eq 'legacy tls (tls 1.0, 1.1, 3des)' and x/value eq '1'))" -All
$signInsInteractive | Foreach-Object {
foreach ($authDetail in $_.AuthenticationProcessingDetails)
{
if(($authDetail.Key -match "Legacy TLS") -and ($authDetail.Value -eq "True")){
$_ | select CorrelationId, createdDateTime, userPrincipalName, userId, UserDisplayName, AppDisplayName, AppId, IPAddress, isInteractive, ResourceDisplayName, ResourceId
}
}
} | Export-Csv -NoTypeInformation -Path ($pathForExport + "Interactive_lowTls_$tId.csv")
$signInsNonInteractive | Foreach-Object {
foreach ($authDetail in $_.AuthenticationProcessingDetails)
{
if(($authDetail.Key -match "Legacy TLS") -and ($authDetail.Value -eq "True")){
$_ | select CorrelationId, createdDateTime, userPrincipalName, userId, UserDisplayName, AppDisplayName, AppId, IPAddress, isInteractive, ResourceDisplayName, ResourceId
}
}
} | Export-Csv -NoTypeInformation -Path ($pathForExport + "NonInteractive_lowTls_$tId.csv")
@c016smith
Copy link

c016smith commented Nov 11, 2021
edited

Any idea why I'd get an Get-MgAuditLogSignIn Get-MgAuditLogSignIn_List: Method not found
Here's a debug view of it. Not sure if I don't have a pre-req or am missing a step.
image

Running latest Powershell 7.2 and VSCode.

Love that you shared this here (and on Twitter, thanks)!

@merill
Copy link
Author

merill commented Nov 17, 2021

Try updating the Graph module to the latest version and restarting the PowerShell session.
Update-Module Microsoft.Graph

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment