diff --git a/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
new file mode 100644
index 000000000..e203e67b7
--- /dev/null
+++ b/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
@@ -0,0 +1,22 @@
+title: Bitlocker Key Retrieval
+id: a0413867-daf3-43dd-9245-734b3a787942
+description: Monitor and alert for Bitlocker key retrieval.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    Category: KeyManagement
+    OperationName: Read BitLocker key
+  condition: selection
+falsepositives:
+  - Unknown
+level: medium
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078