This detection rule identifies the deletion of custom admin roles within Google Workspace, which could indicate malicious activity aimed at compromising administrative access. It highlights how adversaries can exploit the removal of admin roles to degrade the permissions of system administrators, resulting in operational failures or unauthorized access to sensitive data. The rule operates by querying logs for specific events where an admin role has been deleted, thus alerting security teams to investigate any unusual role changes. Key components for investigation include examining the user accounts affected, ensuring deleted roles weren't removed by legitimate actions, and assessing overall impact on administrative capabilities. Details regarding appropriate responses and remediation steps are outlined, emphasizing the need for incident response planning, credential exposure checks, and adherence to the principle of least privilege in user permissions to mitigate risks associated with such actions.