This detection rule identifies the creation of new keys for service accounts in Google Cloud Platform (GCP). Service accounts play a critical role in enabling applications to securely interact with GCP services through authorized API calls. When a new key is created, especially without appropriate oversight, it poses a potential security threat as adversaries could misuse these keys to gain unauthorized access. This rule specifically monitors audit logs for specific events indicating a new service account key creation, allowing organizations to respond quickly to potential security risks associated with service account misuse. Investigations should focus on verifying the legitimacy of the action, understanding who initiated it, and reviewing permissions associated with the service account in question. Moreover, this rule addresses false positives stemming from routine operations, emphasizing the need for whitelisting certain processes and environments to maintain operational efficiency while ensuring security.