Google Workspace is a popular productivity suite that offers a broad collection of apps, including Gmail, Drive, Calendar, and Docs. Attackers can gain access to sensitive data by compromising an account, and learning how to identify malicious activity in the Workspace environment enables security teams to stop threats before they become more serious. Common ways attackers target Google Workspace include compromising credentials, phishing, and deploying malicious OAuth applications. Attackers often focus on Gmail, user accounts, devices, and administrators as entry points for their attacks. Monitoring Gmail activity, user activity, device activity, and admin activity can help security teams detect suspicious behavior. Datadog Cloud SIEM provides a Google Workspace Content Pack that enables teams to onboard quickly and efficiently identify and surface key trends across apps, devices, and users, including built-in detections tailored to identify suspicious behavior captured in Google Workspace logs and Alert Center alerts.