The `GSuite.IsSuspiciousTag` detection rule identifies suspicious login activities within a GSuite environment by monitoring the `is_suspicious` parameter in activity events. The rule is triggered specifically when a login event is flagged as suspicious, indicating potential account compromise or unusual behavior. It is categorized under the GSuite activity events and is designed to help security teams respond to anomalous logins. The rule has a severity level of 'Info', which may suggest that while it is not immediately critical, it is essential for monitoring user activity. This can help in preemptive measures by prompting the security team to investigate and verify the validity of flagged events. Reference documentation is provided for guidance on how to further investigate suspicious activity. The test cases within the rule validate that when a login is reported as genuine (not suspicious), the rule should not trigger. Conversely, if an event is marked with `is_suspicious: true`, the rule should activate, enabling teams to take appropriate actions following the investigation runbook provided for further user verification.