diff --git a/gcp_cloudaudit/gcp_etd_config_changes.yaral b/gcp_cloudaudit/gcp_etd_config_changes.yaral
new file mode 100644
index 0000000..f154343
--- /dev/null
+++ b/gcp_cloudaudit/gcp_etd_config_changes.yaral
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+rule gcp_etd_config_changes {
+  meta:
+    author = "Google Cloud Security"
+    description = "Triggers when the Event Threat detection setting in SCC is modified for a project potentially impairing defenses"
+    severity = "HIGH"
+    reference = "https://attack.mitre.org/techniques/T1562/"
+
+  events:
+    $gcp.metadata.vendor_name = "Google Cloud Platform"
+    $gcp.target.application = "securitycenter.googleapis.com"
+    $gcp.metadata.product_event_type = "google.cloud.securitycenter.settings.v1beta2.Settings.UpdateEventThreatDetectionSettings"
+    $gcp.security_result.action = "ALLOW"
+
+  condition:
+    $gcp
+
+}
diff --git a/gcp_cloudaudit/gcp_iam_essential_contact_deleted.yaral b/gcp_cloudaudit/gcp_iam_essential_contact_deleted.yaral
new file mode 100644
index 0000000..aa1ddbb
--- /dev/null
+++ b/gcp_cloudaudit/gcp_iam_essential_contact_deleted.yaral
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+rule gcp_iam_essential_contact_deleted {
+  meta:
+    author = "Google Cloud Security"
+    description = "Trigger when an essential contact is deleted from project or org"
+    severity = "Low"
+
+  events:
+      $gcp.metadata.product_name = "Google Cloud Platform"
+      $gcp.metadata.product_event_type = "google.cloud.essentialcontacts.v1beta1.EssentialContactsService.DeleteContact"
+      $gcp.security_result.action = "ALLOW"
+
+  condition:
+    $gcp
+}
diff --git a/gcp_cloudaudit/gcp_iam_service_account_granted_primitive_role.yaral b/gcp_cloudaudit/gcp_iam_service_account_granted_primitive_role.yaral
new file mode 100644
index 0000000..c369b96
--- /dev/null
+++ b/gcp_cloudaudit/gcp_iam_service_account_granted_primitive_role.yaral
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+rule gcp_iam_service_account_granted_primitive_role {
+  meta:
+    author = "Google Cloud Security"
+    description = "Detect when a Service account is being granted sensitive primitive IaM role"
+    severity = "LOW"
+    cis_version = "1.2"
+    cis_control = "1.5"
+
+  events:
+    $gcp.metadata.vendor_name = "Google Cloud Platform"
+    $gcp.metadata.product_event_type = "SetIamPolicy"
+    re.regex($gcp.principal.user.attribute.roles.name, `roles/editor|roles/owner`)
+    $gcp.principal.user.attribute.roles.description = "ADD"
+    re.regex($gcp.target.user.email_addresses, `^serviceAccount`)
+    $gcp.security_result.action = "ALLOW"
+
+  condition:
+    $gcp
+
+}