This rule monitors activities related to user access management for IAP (Identity-Aware Proxy) protected services in Google Cloud Platform (GCP). It specifically detects when users are granted access to these protected services by observing related audit logs. The rule processes logs to identify any instance where a user was added to an IAP-protected service, thus indicating a potentially significant change to access control that could affect the security posture of the GCP environment. Since GCP logs all bindings every time this event occurs, it is important to regularly review these bindings to ensure that no unintended users have been added. The rule is designed to trigger alerts based on defined thresholds and analyzes log entries to check whether specific permissions were granted to users for IAP services. Logs are inspected for changes that could indicate unauthorized or accidental provisioning of access rights. By keeping a vigilant handle on user access changes, organizations can take necessary actions to mitigate risks associated with unauthorized access to sensitive resources.