topic Cortex XDR: Bitlocker Monitoring in Cortex XDR Discussions

Cortex XDR: Bitlocker Monitoring

PBurns — Mon, 12 Jul 2021 20:47:41 GMT

Hello everyone,

We are looking at using XDR to monitor Bitlocker status on Windows machines. On the 'Disk Encryption Visibility' page, we can see the Encryption status, but there is no way to filter on 'Unencrypted' drives.

- Does anyone know of an XQL Query to show only the drives unencrypted?

- Does anyone know of an XQL Query to tie to a BIOC and alert if a drive becomes unencrypted?

Thanks for taking a look!

Peter

Re: Cortex XDR: Bitlocker Monitoring

PBurns — Tue, 13 Jul 2021 16:45:05 GMT

It looks like we have ENCRYPTION STATUS in the Endpoints data set, but not VOLUME STATUS. At this point, we are not enforcing encryption by the policy. See below for a sample query provided by Palo Support:

config case_sensitive = false |
dataset = endpoints
| filter encryption_status = NOT_CONFIGURED or encryption_status = NOT_COMPLIANT |
fields endpoint_name

Re: Cortex XDR: Bitlocker Monitoring

etugriceri — Wed, 14 Jul 2021 09:49:08 GMT

Hello PBurns,

Thank you very much for the XQL query about status. for the BIOC question, you may write BIOC to checking specific registry path. Below is just one sample not tested but might help you to write a query for proper path.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSEncryptionType

0 = Allow user to choose (default)

1 = Full encryption

2 = Used Space Only encryption

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker

Value: PreventDeviceEncryption equal to True (1).

Re: Cortex XDR: Bitlocker Monitoring

Melvin_Machado — Wed, 13 Sep 2023 14:41:50 GMT

Hello,

Have you made any progress?

I would like to set up an alert for disks with unencrypted drives.