I have a fairly large number (~50) of Azure storage accounts. Per Azure guidance, I want to set them to require TLS1.2 connections. In order to do this safely, I want to make sure no clients are making TLS1.0 or 1.1 connections.
I have associated one of the storage accounts to a Data Collection Rule
This DCR is supposed to send the platform metrics to a Log Analytics Workspace. However, when I go to that LAW, then go to Logs and execute a KQL query, I get no results, even though there has been activity on that storage account.
Clearly I'm doing something wrong. Once I can see the logs, I can refine the KQL to filter for logs containing TLS1.0 or 1.1. Any insights into where I went south?
Checking for TLS1.0 connections to Azure storage accounts
The issue was that only platform metrics are collecting through the Data Collection Rule (DCR), which do not contain TLS protocol details.
I enabled diagnostic logs (Storage Read, Write, and Delete) on the storage account. These logs are configured to flow directly into the Log Analytics workspace.
I then used the below KQL query to detect any TLS 1.0 or 1.1 connections:
StorageBlobLogs
| where TimeGenerated > ago(7d)
| where TlsVersion startswith "TLS 1."
| summarize Count = count() by TlsVersion, CallerIpAddress, UserAgentHeader
The query results confirms that no clients are using TLS 1.0 or 1.1. All connections are through TLS 1.2 or TLS 1.3only.
Output:
| TlsVersion | CallerIpAddress | UserAgentHeader | Count |
|---|---|---|---|
| TLS 1.3 | 10.156.61.12:56309 | services_xstore_transport_HTTP2/1.0 | 1 |
| TLS 1.2 | 10.156.60.195:65379 | services_xstore_transport_HTTP2/1.0 | 3 |
| TLS 1.3 | 10.156.61.12:38521 | services_xstore_transport_HTTP2/1.0 | 1 |
| TLS 1.2 | 10.0.3.208:36332 | SRP/1.0 | 2 |
| TLS 1.3 | 10.156.61.12:53229 | services_xstore_transport_HTTP2/1.0 | 1 |
Reference: