This rule is designed to detect when the 2-step verification (2SV) policy is disabled within Google Workspace environments. Admins can enforce 2SV to provide an additional layer of security for user accounts by requiring verification methods alongside user credentials. Disabling this policy poses a security risk as it may allow unauthorized access to accounts using just the username and password. The rule utilizes specific event data collected from Google Workspace logs, filtering for instances where the 2SV feature is modified. The required data includes logs from 'google_workspace.login' and related action identifiers. The configuration monitors these changes every 10 minutes to catch potential security threats in a timely manner.