This detection rule targets the addition of domains to the trusted domain list in Google Workspace, which could indicate a malicious action by an insider threat or an external attacker with administrative access. When an adversary adds a domain to the trusted list, they potentially lower security restrictions, enabling unauthorized access to sensitive data or resources by external parties. The rule is configured to monitor Google Workspace events related to domain management, particularly focusing on actions categorized under identity and access management (IAM) where trusted domains are added. It generates alerts for any instances where an unrecognized or external domain is added, requiring immediate investigation to ascertain the legitimacy of this change and to mitigate risks associated with unauthorized data access. The response process involves verifying the administrative credentials of the user who made the change, analyzing related events, and implementing contingency measures if unauthorized activity is confirmed.