This detection rule identifies the creation of tag bindings in Google Cloud Platform (GCP), which can be a vector for privilege escalation through tag-based access controls. The underlying concern is that unauthorized users may exploit this functionality to increase their access permissions, essentially layering additional permissions by associating tags with different IAM roles. The rule watches for events logged in GCP's audit logs when a tag binding operation is performed. Specifically, it looks for API calls that create tag bindings. If the creation of tag bindings is detected, further investigation is prompted to ensure the requestor's legitimacy.