This detection rule monitors the creation of custom administrator roles within Google Workspace. It captures the activity of a Google Workspace administrator who has created a new custom role, which can significantly impact the administrative permissions within an organization. The rule categorizes the action as a 'CREATE_ROLE' event and checks for any unauthorized role deletions prior to this creation, ensuring that the establishment of the new role is appropriately authorized. Furthermore, the rule analyzes the events with specific parameters, such as the actor's details, the unique role identifiers, and timestamps, which are useful for auditing actions performed by administrators.