This detection rule identifies the creation of a new key for a Google Cloud Platform (GCP) service account by monitoring GCP audit logs. Adversaries may exploit this capability to create keys as a means of evading detection and using the permissions associated with the service account for malicious purposes. The Splunk query provided in the rule executes a function to retrieve cloud data and specifically filters for events that denote the creation of a service account key (event name `CreateServiceAccountKey`). It formulates a table output including the timestamp, host, user, event details, account information, resource ID, action taken, permissions assigned, user type, source IP address, HTTP user agent, and any associated messages. Additionally, the rule groups events by source IP to enhance visibility into potentially malicious activity. It maps to the MITRE technique T1098, highlighting its relevance to account manipulation.