This detection rule identifies instances of successful single-factor authentication for Google Cloud Platform (GCP) accounts that do not have Multi-Factor Authentication (MFA) enabled. The analytic relies on Google Workspace login event data to spot events where users authenticate successfully without utilizing MFA. Such events can highlight potential misconfigurations, policy breaches, or attempts at account takeovers, especially since unauthorized access to GCP resources can result in significant security incidents, including data breaches and service interruptions. The rule leverages a specific search query to pull in relevant data, ensuring organizations can track authentication practices and reinforce their security postures accordingly.