This detection rule aims to identify instances where an API access service account is granted domain authority within Google Workspace. It monitors specific events logged by the Google Cloud Platform (GCP), specifically filtering for events related to the authorizing of API client access. By examining the event logs, this rule helps in identifying any unauthorized authorization that could lead to potential misuse of domain-level services. Detecting such events is crucial for maintaining security and preventing persistence attacks that target domain settings. The rule is classified as having a medium severity level, suggesting a moderate level of risk associated with detected events, and is designed to be relevant for security teams monitoring Google Workspace environments.