This detection rule monitors the creation of Google Cloud Functions within a GCP environment, focusing on the potential for privilege escalation through improper IAM permissions. The rule is linked to the Google Cloud Audit Logs and analyzes authorization information relating to the `cloudfunctions.functions.create` permission. By observing the creation of Cloud Functions, this rule helps to identify unauthorized or potentially harmful configurations that could lead to escalated privileges in GCP. Given the sensitivity of such operations, any detected occurrence is flagged under a 'High' severity level. The associated runbook advises verifying whether the behavior was authorized while emphasizing the importance of adhering to the principle of least privilege to mitigate security risks associated with privilege escalation. This highlights the need for strict monitoring and control over permissions granted to avoid inadvertent vulnerabilities in the cloud configuration.