This detection rule is designed to identify when a Workspace Administrator disables the pre-delivery scanning feature for Gmail within the GSuite environment. Pre-delivery scanning is a critical security feature that subjects suspicious emails to enhanced scrutiny before delivery, which helps to protect users from potential phishing attacks and malicious content. If this scanning feature is disabled, it could indicate a security oversight or malicious intent. The rule generates alerts based on GSuite activity logs that capture administrative changes, particularly those that affect Gmail application settings. Given its medium severity level, the rule targets significant changes that could impact the security posture of the organization, especially regarding email security. Administrators should review such changes to ensure that they were intentional, investigating any accompanying actions taken by the involved user.