This detection rule targets GSuite user devices that may have been flagged as compromised based on activity logs related to mobile device management. The mechanism involves monitoring GSuite Activity Events, specifically those pertaining to changes in mobile device status. The rule is focused on identifying the specific event type 'DEVICE_COMPROMISED_EVENT', which indicates an explicit compromise status for a user's device. The rule uses a log structure that encompasses actions performed by the user on their mobile device. If an event indicating a device compromise is logged, the rule is triggered, categorizing such an incident as a potential security threat requiring user intervention. In case of detection, the prescribed response is to have the affected user change their passwords and reset their device to mitigate any potential risks. The rule is designed with a medium severity level, signifying the need for attention without being overly alarming.