Merge pull request #3172 from mepples21/miepping-dev5

Create azure_ad_bitlocker_key_retrieval.yml
2022-06-29 19:40:36 +02:00
parent 4fee43361c ef47e7c8f2
commit e516fd74cb
1 changed files with 22 additions and 0 deletions
@@ -0,0 +1,22 @@
+title: Bitlocker Key Retrieval
+id: a0413867-daf3-43dd-9245-734b3a787942
+description: Monitor and alert for Bitlocker key retrieval.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    Category: KeyManagement
+    OperationName: Read BitLocker key
+  condition: selection
+falsepositives:
+  - Unknown
+level: medium
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078