This detection rule monitors Google Cloud Platform (GCP) for the creation of new service accounts. Service accounts are directly tied to identity and access management within GCP, thus creating a new one can indicate potential abuse or misconfiguration, especially if done without proper oversight. The rule queries the GCP audit logs for any events where a service account has been created within the last two hours. It specifically looks for the event named 'CreateServiceAccount' to identify unauthorized or unexpected service account creations which may signify an attacker trying to maintain persistence within the environment. The use of a short time frame (2 hours) allows for rapid response to potential threats, reinforcing the importance of continuous monitoring and alerting in cloud environments to maintain security posture and compliance.