Query Details
Audit Bit Locker Key Retrieved
Query
//Detects when a BitLocker key is read in Azure AD and retrieves the device and key ids //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName == "Read BitLocker key" | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend s = tostring(AdditionalDetails[0].value) | parse s with * "ID: '" KeyId "'" * | parse s with * "device: '" DeviceId "'" | project TimeGenerated, OperationName, Actor, KeyId, DeviceId
Explanation
This query is looking for instances where a BitLocker key is read in Azure AD. It retrieves the device and key IDs associated with the event. The query requires a data connector for Azure Active Directory - Audit Logs. The results of the query include the time the event occurred, the operation name (Read BitLocker key), the actor who initiated the action, and the corresponding key and device IDs.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,OperationName,ReadBitLockerkey,InitiatedBy.user,userPrincipalName,AdditionalDetails,value,ID,KeyId,device,DeviceId,TimeGenerated
Operators
whereextendtostringparse_jsonparseproject