diff --git a/CHANGES.md b/CHANGES.md
index 2cf50a82351b3986268694cb91b879072eccce7c..ee96fbeae13a294725ba93ac47bb8d42f3b0c549 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -57,6 +57,7 @@ Release Notes.
 * Add otel rules to ui template to observe Istio control plane.
 * Remove istio mixer
 * Support close influxdb batch write model.
+* Check SAN in the ALS (m)TLS process.
 
 #### UI
 * Fix incorrect label in radial chart in topology.
diff --git a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java
index df3bab8fb7422f7578b3d16bba8b19aea39d1e49..0ded78ef52356e30b1e6a13ed4181ff601e0139a 100644
--- a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java
+++ b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java
@@ -28,6 +28,7 @@ import io.envoyproxy.envoy.data.accesslog.v2.HTTPResponseProperties;
 import io.envoyproxy.envoy.data.accesslog.v2.ResponseFlags;
 import io.envoyproxy.envoy.data.accesslog.v2.TLSProperties;
 import java.time.Instant;
+import java.util.List;
 import java.util.Optional;
 import lombok.RequiredArgsConstructor;
 import org.apache.skywalking.apm.network.common.v3.DetectPoint;
@@ -156,14 +157,16 @@ public class LogEntry2MetricsAdapter {
         if (properties == null) {
             return NON_TLS;
         }
-        if (isNullOrEmpty(Optional.ofNullable(properties.getLocalCertificateProperties())
-                                  .orElse(TLSProperties.CertificateProperties.newBuilder().build())
-                                  .getSubject())) {
+        TLSProperties.CertificateProperties lp = Optional
+            .ofNullable(properties.getLocalCertificateProperties())
+            .orElse(TLSProperties.CertificateProperties.newBuilder().build());
+        if (isNullOrEmpty(lp.getSubject()) && !hasSAN(lp.getSubjectAltNameList())) {
             return NON_TLS;
         }
-        if (isNullOrEmpty(Optional.ofNullable(properties.getPeerCertificateProperties())
-                                  .orElse(TLSProperties.CertificateProperties.newBuilder().build())
-                                  .getSubject())) {
+        TLSProperties.CertificateProperties pp = Optional
+            .ofNullable(properties.getPeerCertificateProperties())
+            .orElse(TLSProperties.CertificateProperties.newBuilder().build());
+        if (isNullOrEmpty(pp.getSubject()) && !hasSAN(pp.getSubjectAltNameList())) {
             return TLS;
         }
         return M_TLS;
@@ -217,4 +220,18 @@ public class LogEntry2MetricsAdapter {
         }
         return "";
     }
+
+    /**
+     * @param subjectAltNameList from ALS LocalCertificateProperties and PeerCertificateProperties
+     * @return true is there is at least one SAN, based on URI check.
+     */
+    private static boolean hasSAN(List<TLSProperties.CertificateProperties.SubjectAltName> subjectAltNameList) {
+        for (final TLSProperties.CertificateProperties.SubjectAltName san : subjectAltNameList) {
+            // Don't check DNS for now, as it is tagged not-implemented in ALS v2
+            if (!isNullOrEmpty(san.getUri())) {
+                return true;
+            }
+        }
+        return false;
+    }
 }