This detection rule monitors for the granting of domain-wide delegation of authority to service accounts in Google Workspace. Domain-wide delegation enables applications to act on behalf of Google Workspace users, potentially allowing adversaries to gain unauthorized access to user data. The detection triggers on the "AUTHORIZE_API_CLIENT_ACCESS" event, cataloging details such as the timestamp, host, user, action performed, source IP, and user agent. While granting delegation is not inherently malicious, it warrants scrutiny given the extensive access it provides, as an attacker could exploit this feature to persist within a victim's Google Workspace environment. Validation of such activities is vital to ensure that they have a legitimate purpose and to prevent unauthorized data access. The detection logic utilizes Splunk's `get_cloud_data` functions to retrieve necessary event logs from GCP and evaluates them for any potentially suspicious domain-wide delegations, marking them for investigation if they deviate from standard operational patterns.