This detection rule monitors for deletions of role privileges within Google Workspace. Specifically, it captures events where the service responsible for admin actions in Google Workspace (logged via `admin.googleapis.com`) registers an event with the name `REMOVE_PRIVILEGE`. Such alterations could indicate either legitimate administrative actions or potentially malicious intent to alter user capabilities in the organization. The rule is set at a medium severity level due to the potential impact of unauthorized privilege escalations or removals. The detection criteria focus on the event name, thus filtering out noise and allowing administrators to focus on significant administrative changes. It is crucial for organizations to audit access controls regularly, and this detection rule aids in highlighting critical modifications.