This detection rule identifies when an admin creates a data export in GSuite, which is an activity often associated with either legitimate administrative actions or potential data exfiltration attempts. The rule is based on specific activity events that are logged by GSuite, specifically the creation of data exports (identified by the activity names 'CUSTOMER_TAKEOUT_CREATED' and 'CUSTOMER_TAKEOUT_SUCCEEDED'). The rule also considers related abnormal activities such as changes in calendar sharing settings, which could signal unintended data exposure or misuse of admin credentials. Upon detection of such activities, the rule suggests verifying the intent of the data export and reviewing the actor's other activities to ascertain potential security risks. The notification carries a medium severity level, indicating a reasonable level of concern that needs to be monitored. The rule relies on GSuite.ActivityEvent logs to function effectively and is part of a broader monitoring initiative to maintain data security within the GSuite environment.