This detection rule focuses on identifying suspicious file-sharing activity within Google Drive, particularly targeting instances where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, examining changes in user access and filtering communications to isolate emails from outside the organization's domain. Such file-sharing activity could indicate potential account compromises or intentional data exfiltration. If this behavior is confirmed as malicious, it has serious implications, including unauthorized access to sensitive information, risk of data breaches, and potential violations of compliance regulations. To implement this rule, Gsuite logging must be set up to track relevant Drive activities, ensuring that the domain specified in the search query is correctly updated to align with the organization's real domain. This approach not only aids in detecting anomalies but also assists in investigating account compromises by analyzing associated metadata, such as source IP addresses and document details.