From 7aadcff92c11964df44ba80ede58d53e0b52705b Mon Sep 17 00:00:00 2001
From: Michael Epping <19227815+mepples21@users.noreply.github.com>
Date: Tue, 28 Jun 2022 14:23:36 -0700
Subject: [PATCH 1/2] Create azure_ad_bitlocker_key_retrieval.yml

---
 .../azure_ad_bitlocker_key_retrieval.yml      | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml

diff --git a/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
new file mode 100644
index 000000000..f58a983de
--- /dev/null
+++ b/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
@@ -0,0 +1,24 @@
+title: Bitlocker key retrieval
+id: a0413867-daf3-43dd-9245-734b3a787942
+description: Monitor and alert for Bitlocker key retrieval.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    Category:
+      - KeyManagement
+    OperationName:
+      - Read BitLocker key
+  condition: selection
+falsepositives:
+  - Unknown
+level: medium
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078

From ef47e7c8f2605620241427a8a52aa157d7eaab86 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 29 Jun 2022 06:34:11 +0200
Subject: [PATCH 2/2] Update azure_ad_bitlocker_key_retrieval.yml

---
 rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
index f58a983de..e203e67b7 100644
--- a/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
+++ b/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml
@@ -1,4 +1,4 @@
-title: Bitlocker key retrieval
+title: Bitlocker Key Retrieval
 id: a0413867-daf3-43dd-9245-734b3a787942
 description: Monitor and alert for Bitlocker key retrieval.
 author: Michael Epping, '@mepples21'
@@ -10,10 +10,8 @@ logsource:
   service: auditlogs
 detection:
   selection:
-    Category:
-      - KeyManagement
-    OperationName:
-      - Read BitLocker key
+    Category: KeyManagement
+    OperationName: Read BitLocker key
   condition: selection
 falsepositives:
   - Unknown