The rule "External User Added to Google Workspace Group" is designed to detect the addition of external Google Workspace user accounts to existing groups within an organization, which could indicate a potential security breach. Adversaries may exploit this ability to gain access to shared files and communications, thereby posing a risk of data leakage or further unauthorized access. The rule triggers on events where an external user’s email domain does not match that of the organization's Google Workspace domain. It leverages Elastic Query Language (EQL) to search event logs for these specific account actions. Investigators are provided with a comprehensive guide to understand the context behind the alerts, including potential false positives arising from legitimate administrative actions. The rule emphasizes the importance of proper privilege management and incident response protocols if suspicious behavior is detected, such as disabling the external account and conducting a thorough investigation to identify any further threats or vulnerabilities within the cloud environment.