Add query for indentifying old TLS version

Author: jlichwa

articles/key-vault/general/monitor-key-vault.md

@@ -83,6 +83,17 @@ For a list of the tables used by Azure Monitor Logs and queryable by Log Analyti
 
 Here are some queries that you can enter into the **Log search** bar to help you monitor your Key Vault resources. These queries work with the [new language](../../azure-monitor/logs/log-query-overview.md).
 
+* Are there any clients using old TLS version (<1.2)?
+
+    ```kusto
+    AzureDiagnostics
+    | where TimeGenerated > ago(90d) 
+    | where ResourceProvider =="MICROSOFT.KEYVAULT" 
+    | where isnotempty(tlsVersion_s) and strcmp(tlsVersion_s,"TLS1_2") <0
+    | project TimeGenerated,Resource, OperationName, requestUri_s, CallerIPAddress, OperationVersion,clientInfo_s,tlsVersion_s,todouble(tlsVersion_s)
+    | sort by TimeGenerated desc
+    ```
+
 * Are there any slow requests?
 
     ```Kusto

articles/key-vault/general/security-features.md

@@ -38,7 +38,7 @@ Azure Private Link Service enables you to access Azure Key Vault and Azure hoste
 - Despite known vulnerabilities in TLS protocol, there is no known attack that would allow a malicious agent to extract any information from your key vault when the attacker initiates a connection with a TLS version that has vulnerabilities. The attacker would still need to authenticate and authorize itself, and as long as legitimate clients always connect with recent TLS versions, there is no way that credentials could have been leaked from vulnerabilities at old TLS versions.
 
 > [!NOTE]
-> For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .Net framework. To meet with compliance obligations and to improve security posture, Key Vault connections via TLS 1.0 & 1.1 are considered a security risk, and any connections using old TLS protocols will be disallowed in 2023.
+> For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .Net framework. To meet with compliance obligations and to improve security posture, Key Vault connections via TLS 1.0 & 1.1 are considered a security risk, and any connections using old TLS protocols will be disallowed in 2023. You can monitor TLS version used by clients by monitoring Key Vault logs with sample Kusto query [here](monitor-key-vault.md#sample-kusto-queries).
 
 ## Key Vault authentication options