The 'GSuite User Suspended' rule is designed to detect when a GSuite user account has been suspended, which may indicate a potential compromise or abuse by a spam network. The rule receives data from GSuite Activity Events that log activities pertaining to user accounts within the GSuite environment. The suspension of an account may trigger this alert when specific account warnings are logged, particularly warnings related to spamming. The rule is marked as high severity, prompting immediate investigation, as user suspension can lead to significant operational disruption and security issues. The rule includes three tests to validate account behaviors during typical login events and checks if warnings correspond to a suspended state. Proper actions entail verifying with the affected user and determining the context behind the suspension. If the suspension was unintended, this could indicate compromise and necessitate further security measures.