This detection rule monitors the creation or updating of inbound SSO profiles within Google Cloud Platform (GCP). The rule leverages audit logs to identify events that signal account manipulation, such as creating a new SSO profile or modifying existing profiles. Adversaries may exploit SSO profiles to establish persistence, gain unauthorized access, or escalate privileges by adding themselves or others to these profiles. As such, any detection of these events should trigger immediate review to validate the legitimacy of the changes made. The rule employs specific conditions to differentiate between expected changes and potential malicious activities, with a focus on monitoring the activity of user accounts that made these changes. The severity of incidents detected by this rule is categorized as 'High', indicating the significant risk that unauthorized SSO profile changes could pose to the environment.