The detection rule "GCP KMS Key Granted to GCS Service Account" aims to monitor when a KMS IAM policy grants encryption or decryption permissions to a Google Cloud Storage (GCS) service account. Such permissions can indicate a potential ransomware operation where an adversary enables a GCS service account to encrypt data stored in cloud storage. To effectively identify such an occurrence, this rule relies on GCP Audit logs specifically focusing on SetIamPolicy events related to KMS keys. The detection process involves querying the audit logs, verifying IP addresses against known ranges, and cross-checking with GCS operations related to the service account following policy changes. Furthermore, the rule includes MITRE ATT&CK references highlighting its relevance in identifying defense evasion and impact tactics correlated with data encryption for malicious purposes.