This detection rule monitors for modifications to the trusted domains list within Google Workspace by administrators. Specifically, it identifies when a Workspace Admin adds or removes domains from the trusted domains list, which can potentially impact the security posture of the organization's Google Workspace setup. Trusted domains allow communication and collaboration with users outside the organization, and improper management of this list could lead to data leaks or unauthorized access to resources. The rule focuses on activity events associated with such actions, ensuring that any additions or removals of trusted domains are logged and investigated promptly. The expected results and logs during the testing outline various cases, such as successful additions or removals of trusted domains, and scenarios where unrelated actions (e.g., settings changes outside the domain management) are logged, ensuring accurate detection without false positives. A verification process is recommended when modifications occur without clear intent from the administrator, reinforcing the need for accountability and oversight in domain management.