This detection rule identifies modifications made to user groups in Google Workspace that allow external access, which can pose a significant security risk. Specifically, it targets changes to group settings that would permit external members to join or access sensitive resources. The rule looks for specific parameters such as 'ALLOW_EXTERNAL_MEMBERS' set to 'true' or alterations in 'WHO_CAN_JOIN' settings that expand group access beyond invited users. Adversaries with administrator privileges may exploit these settings to extend network access to potentially unauthorized users. This detection aims to flag such modifications to maintain the integrity and security of user access management in Google Workspace. Note that while this rule facilitates monitoring sensitive changes, it may produce false positives, particularly for legitimate administrative activities that aim to broaden access for community use. Hence, careful assessment of security labels associated with groups remains essential.