This detection rule monitors changes made by administrators to the external sharing settings of primary calendars within a GSuite Workspace. Specifically, it tracks changes in the 'SHARING_OUTSIDE_DOMAIN' setting, which determines how calendars can be shared externally. The rule triggers if an admin alters this setting from one value to another, such as from 'DEFAULT' to 'READ_ONLY_ACCESS', 'READ_WRITE_ACCESS', or 'MANAGE_ACCESS'. These modifications could indicate unauthorized attempts to change the accessibility of calendar information, which could potentially expose sensitive organizational data. Each test scenario included in the rule captures various settings changes and uses structured logging data to verify expected outcomes. This rule is crucial for maintaining security and ensuring compliance within the organization by detecting any unsupported or unexpected changes in calendar sharing settings.