This detection rule monitors for administrative actions taken within Google Workspace that result in the disabling of BitLocker drive encryption on Windows devices. BitLocker is a crucial data protection feature integrated into the Windows OS, aimed at preventing unauthorized access to sensitive data on devices that may be lost or stolen. When administrators disable BitLocker, it risks exposing data that would otherwise be protected by encryption. The rule specifically checks for events associated with the action of changing an application setting where the new value for BitLocker is labeled as 'Disabled.' The potential risk here includes adversaries with legitimate administrative access disabling security features, thereby compromising sensitive data. The rule provides detailed investigative steps, including user verification, log review, and incident response guidelines, to address any unauthorized changes effectively. It is designed to run every 10 minutes, with a lookback time of 130 minutes, aiming to capture timely notifications of such critical changes while also being aware of potential administrative actions that may result in false positives.