The rule 'Google Workspace User Organizational Unit Changed' is designed to detect unauthorized modifications of a user's assigned organizational unit in Google Workspace. Users are typically placed in organizational units (OUs) based on their roles, and these OUs dictate the permissions and access to applications and resources. Adversaries can exploit valid credentials to change a user's OU, granting them unintended access privileges. The rule queries logs for events indicating that a user's organizational unit has been altered, focusing primarily on actions categorized as changes to user settings. It leads investigators to determine if a user's new OU confers undesired privileges that could be exploited by threat actors. Steps for investigation include examining previous and current organizational unit assignments, checking associated applications, and ensuring that administrator privileges are correctly scoped. False positives are addressed by verifying legitimate organizational changes and reviewing internal role adjustments. Overall, this rule enhances the security posture of Google Workspace by monitoring potential account manipulation activities.