This detection rule monitors the creation of API keys within Google Cloud Platform (GCP) projects. It captures events logged in GCP audit logs, specifically targeting the API call for creating API keys. The logic executes a query in Snowflake that checks for any 'ApiKeys.CreateApiKey' events that occurred within the last two hours. This is critical for identifying potential security risks, as unauthorized API key creation could lead to data breaches or unauthorized access to cloud resources. Organizations should maintain strict controls over API keys and be alerted immediately to any creation events, especially if they are from untrusted sources or if the creation exceeds normal operational patterns.