The 'Google Workspace Role Modified' detection rule identifies modifications made to custom admin roles in Google Workspace, which could indicate malicious activities aimed at elevating user permissions. Attackers may alter these roles to gain higher privileges for their accounts, facilitating lateral movement across an organization. This rule utilizes a query language (KQL) to monitor specific events associated with role updates and privilege modifications. Alerts triggered by this rule are vital for maintaining security posture by ensuring adherence to the principle of least privilege (PoLP). The rule suggests investigation steps such as verifying user roles, checking the nature of modified privileges, and assessing whether unexpected changes align with intended administrative actions, in order to pinpoint potential threats and respond appropriately.