The rule is designed to detect when file ownership within Google Drive, a service under Google Workspace, is transferred from one user to another. This process is critical for administrative control but can also be exploited by malicious actors attempting to exfiltrate sensitive data. The rule employs a query to capture events associated with ownership transfers, specifically looking for CREATE_DATA_TRANSFER_REQUEST actions under the Google Workspace admin events dataset. Proper permission settings maintained by admins dictate file access, but adversaries may misuse this framework by gaining access to sensitive files or accounts, potentially using phishing techniques to exploit shared document privileges. Investigative steps following detection include reviewing admin logs for user account activity, ensuring no account involved was recently disabled, and assessing the appropriateness of permission changes based on organizational policy. The detection is tied to the MITRE ATT&CK framework under the Collection tactic, showcasing the importance of maintaining stringent access controls in cloud environments. False positives may arise in legitimate administrative file transfers during role changes or employee leave, necessitating thorough vetting of incidents flagged by the detection rule. The rule operates within a defined time interval for scanning Google Workspace events and requires the appropriate data source setup for effective monitoring.