Adding MBAM/Bitlocker Logs to Azure Sentinel

With the recent warning about a new vulnerability (CVE-2020-10713) that’s being called BootHole, some customers may want to monitor the MBAM/Bitlocker logs, as there’s no real protection against the flaw yet. And, in doing so, may also want to provide notifications through analysis – which is a perfect situation for Azure Sentinel.

However, there’s a catch that deserves some guidance and a tip.

If you’ve worked with Log Analytics workspaces for any period of time, you know that you can add additional logs (even custom logs) to the list of sources to be ingested into the data space.

For Azure Sentinel customers, this function can be found by navigating to Settings – Workspace Settings – Advanced Settings – Data as shown in the next image. Inside the Data component there’s a number of areas to configure different log sources including Windows Event Logs (which is where we’re trying to locate MBAM).

Settings – Workspace Settings – Advanced Settings – Data

For those that have added custom Windows Event Logs to the Azure Sentinel workspace before, you know you can simply just start typing a log file name in the space provided and those logs that are “known” will display so you can choose the one you desire.

However, guess what? There are some log files that will not show up in the “known” list and a couple of those are related to MBAM/Bitlocker (specifically, the Operational and Admin logs). That doesn’t mean that the Log Analytics workspace can’t ingest those logs, only that (for some reason) it doesn’t know about them.

Where’s MBAM?

Even though the MBAM logs don’t show up in the list, you can still add them. You just need to know what the log file names actually are. To figure that out, open Windows Event Viewer on any Windows PC and navigate to Applications and Services Logs – Microsoft – Windows – MBAM. Click on either the Admin or Operational log and the Log Name is displayed.

MBAM Operational Log Name

Copy the Log Name from Event Viewer (in the example above, it’s Microsoft-Windows-MBAM/Operational), paste it into the Log Analytics workspace for Azure Sentinel configuration for Windows Event Logs, and click the Plus (+) button to add it. Make sure to hit the Save button before navigating back to Azure Sentinel.

Adding MBAM Operational log file to be collected

After the next check-in for the Log Analytics agent that’s installed on your systems, the data from the MBAM log will start flowing in.

Yay! MBAM!

And, with this new data flowing in, it’s time to start the real fun: writing queries and Analytics Rules.

Keep in mind, you can perform this same process for many logs that don’t display automatically in the Log Analytics workspace list of logs. BUT – be careful. Data ingestion will cost and some logs are simply not worthy of collection for security purposes. Be mindful and intentional.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Authors