Google Workspace Bitlocker Setting Disabled

Last updated 2 months ago on 2024-09-23

Created 2 years ago on 2022-09-06

About

Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.

Tags

Domain: CloudData Source: Google WorkspaceUse Case: Configuration AuditTactic: Defense Evasion

Severity

medium

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Impair Defenses (T1562)(opens in a new tab or window)

False Positive Examples

Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-google_workspace*
Related Integrations: google_workspace(opens in a new tab or window)
Query

event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration)
    and google_workspace.admin.new_value:"Disabled" and google_workspace.admin.setting.name:BitLocker*

Install detection rules in Elastic Security

Detect Google Workspace Bitlocker Setting Disabled in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).