Audit Bit Locker Key Retrieved
Query
//Detects when a BitLocker key is read in Azure AD and retrieves the device and key ids
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName == "Read BitLocker key"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend s = tostring(AdditionalDetails[0].value)
| parse s with * "ID: '" KeyId "'" *
| parse s with * "device: '" DeviceId "'"
| project TimeGenerated, OperationName, Actor, KeyId, DeviceIdExplanation
This query is looking for instances where a BitLocker key is read in Azure AD. It retrieves the device and key IDs associated with the event. The query requires a data connector for Azure Active Directory - Audit Logs. The results of the query include the time the event occurred, the operation name (Read BitLocker key), the actor who initiated the action, and the corresponding key and device IDs.
Details

Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogsOperationNameRead BitLocker keyInitiatedBy.useruserPrincipalNameAdditionalDetailsvalueIDKeyIddeviceDeviceIdTimeGenerated
Operators
whereextendtostringparse_jsonparseproject