QUESTION

Why am I seeing Surge in spam emails received by user [{user}] alerts from the gsuite_spam_email rule for users whose accounts were archived in Google Workspace?

ANSWER

The gsuite_spam_email rule is a pass-through detection, which means it alerts on what Gmail is already reporting. Gmail identifies the messages as spam, and Panther surfaces those spam delivery events using data from Google Workspace. Because Google’s logs don’t have a field showing whether a mailbox is active or archived, Panther can’t filter those users out.