This rule detects Google Workspace (G Suite) login activity that Google itself classifies as suspicious by consuming Google Cloud Audit Logs. It watches for events where protoPayload.Servicename equals login.googleapis.com and the eventName is one of suspicious_login_less_secure_app, suspicious_login, or suspicious_programmatic_login. When matched, it signals a medium-severity alert indicating potential credential compromise or risky access patterns. The rule leverages Google’s own classification to surface signs of abnormal authentication activity, such as use of less-secure applications or automated/programmatic access from unusual locations. It is intended to help identify attack vectors across initial access, privilege escalation, persistence, and defense evasion linked to identity. The rule includes a caveat for false positives: legitimate logins from new devices, locations, or CI/service accounts can resemble suspicious activity. Status is experimental. References point to Google Workspace audit and suspicious-login docs for context and justification of the events monitored by this rule.