This detection rule monitors changes made to the Google Workspace Advanced Protection Program settings within an organization's Google account. It checks for specific user actions and modifications that could indicate unauthorized changes to security configurations. The rule captures logs related to changes in application settings, user enrollments, and modifications that may signal security incidents. A legitimate alteration to the Advanced Protection Program should correspond to expected user actions with valid parameters, while any anomalous activity or unexpected null values can trigger alerts for further investigation. Given its nature, this rule is classified as medium severity, suggesting potential importance but not an immediate critical threat, requiring moderate attention from security teams.