BitLocker Volume Details in Splunk

Monitoring BitLocker Volume Details

I was recently asked if BitLocker encryption details can be reported on in Splunk.

The answer is yes, if you send the right data to Splunk.

There is a Windows Event Log (Microsoft-Windows-BitLocker/BitLocker Management) that will log when someone encrypts or decrypts a volume.  This information is good to know, but what happens after a volume is decrypted… after days, weeks, or months has passed you will need to search back an extended amount of time to see that activity.  And eventually these events will be removed from Splunk based on the index’s retention.

I have created a solution that will allow you to see the latest volume status (latest based on an interval you can configure; the default is every 4 hours).  In addition to whether BitLocker Encryption is enabled for each volume, the script also records the volume type (Operating System or Data) and Drive Type (Fixed or Removable) so you can filter the dashboard to view the status for scenarios where you are only concerned with Fixed disks, Operating System disks, or Data disks.

Universal Forwarder Inputs

1. Download the ut_splunkforwarder_inputs_bitlocker app from GitHub – BeckhamTX/Splunk-Inputs-WinSysAdminToolkit
2. Configure the app
   • You must configure the index that you want to send the BitLocker data to:
     • Create a new folder named local inside ut_splunkforwarder_inputs_bitlocker
     • Create a new file named inputs.conf inside ut_splunkforwarder_inputs_bitlocker\local
     • Edit inputs.conf to include the following, replacing myIndex with the index you want to send to
       

       [powershell://BitLockerVolumeDetails]

       index = myIndex

   • You can optionally adjust the schedule that the volume details are gathered on:
     • Edit ut_splunkforwarder_inputs_bitlocker\local\inputs.conf
     • Add the following line replacing 6 */4 * * * with your custom schedule
       schedule = 6 */4 * * *
       The schedule can be in one of the following two formats:

       Format	Syntax	Example
       Cron	Cron notation (minute, hour, day of month, day, day of week	6 */4 * * * would be at 6 minutes past the hour, every 4 hours (4.00 am, 8.00 am, 12.00 pm, 4.00 pm…)
       Seconds	An integer (specifically the number of seconds before it runs again)	7200 would be every 7200 seconds (every 2 hours)

3. Deploy the ut_splunkforwarder_inputs_bitlocker app to your Universal Forwarders.
   You have several options to get this configuration out to all of your hosts: You may be running a Splunk Deployment Server.  If not, you can use systems management tools such as SCCM/MEMCM.
4. The Universal Forwarders must be restarted to start using the new BitLocker input configuration.  This can be done using the following command:
   “C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe” restart

Splunk Dashboards

There are two dashboards I have created as part of my Windows SysAdmin Toolkit Splunk app.

This app is not (yet) on Splunkbase, so I will post the dashboard source code here soon.  (If you would like the dashboard source code before I get to post it, please leave a comment on here and I can send it to you directly.)

BitLocker – Comprehensive Overview of Latest Volume Details

This dashboard includes:

• a few statistics about drive encryption across all hosts
• the latest status for each volume on all hosts (there are several filter options available here)
• events from the BitLocker Management Windows Event log for all hosts

BitLocker – Details for a Host

This dashboard provides details for a single host (although you can wildcard the host name if you want to see details for multiple hosts with a common naming pattern.)