This rule monitors for changes made to the Gmail Security Sandbox settings within GSuite (Google Workspace). It specifically triggers when a Workspace Admin disables the Security Sandbox feature, which is designed to scan email content for malicious attachments and links. Such a change can potentially expose users to increased risk from phishing attacks and malware. The rule emphasizes the importance of investigating any such changes, especially if they were not intended, by examining the actions taken by the same actor around the time of the change. The detection logic leverages GSuite Activity Events to identify when the security setting was altered, ensuring timely alerts for administrative actions that might compromise email security. Administrators are advised to review the implications of disabling the Security Sandbox and ensure that security protocols are maintained within their organization.