The rule 'External GSuite File Share' flags incidents where GSuite users share sensitive files externally with individuals outside their organization. This behavior can expose potentially confidential data and represents a high-security risk, necessitating a response. The detection relies on GSuite Reports logs to monitor changes in file access permissions. The logic evaluates if a file's visibility has been altered to allow access by external users, differing from the previous internal-only permissions. It includes scenarios where shares to known and unknown external users happen and checks if the share is allowed under specified exceptions. Responses involve contacting users who share files externally, reviewing the legitimacy of the share, and maintaining an exception log as necessary.