aerickson5
>> query, 90% of the resources listed (a variety of resource types) have no minimum tls version specified. Can you explain what that could mean?
This might be harsh and controversial: It means that "author" is trusting copilots answer without checking how resources are defining TLS version. At least "author" of the query told it was AI-generated. Every service has it's own naming for TLS settings and even for settings values.
Also resources table does even support all resource types.
-----
Here is other query that relies on policy states:
policyresources | where ['type'] =~ "microsoft.policyinsights/policystates" | project policyDefinitionId=tolower(tostring(properties.policyDefinitionId)), complianceState = properties.complianceState, policyAssignmentScope=properties.policyAssignmentScope, policyAssignmentName=properties.policyAssignmentName, policyAssignmentParameters=properties.policyAssignmentParameters | join kind=fullouter ( policyresources | where ['type'] =~ "microsoft.authorization/policydefinitions" |project id = tolower(id), policyName=tostring(properties.displayName), policyDescription=tostring(properties.description) ) on $left.policyDefinitionId == $right.id | where policyName contains "TLS" or policyDescription contains "TLS"
when using this query you should not trust policies that MSFT assigns for Defender recommendation. ALZ has larger initiative for TLS: https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html