I found a possible solution using the ssf value (security strength factor). When StartTLS or SSL is used, the ssf is greater than 0. But the ssf value is logged as 0 at other points when the connection is secure. By finding connections where ssf < 128, you can filter out the secure connections.
source="YOUR-LDAP-SOURCE" | transaction conn maxpause=5m | search ssf<128 | top uid
By using the transaction command you can group the individual connection sequences by the conn attribute, then search for those with a lower ssf AES bit encryption.
... View more