When approaching incident response in an environment you may not be very familiar with, the biggest challenge is often knowing what to look for. This is especially true when youre facing dozens of data sources with hundreds of event types. As an incident responder, its your job to determine what is legitimate and what is not among a sea of activity, which is easier said than done. This blog post and its accompanying cheat sheet provide guidance on some key events of interest that can be a starting point for reviewing Google Workspace activity in the scope of an incident.