A really very smart presentation at modern SecOps by the Etsy people. Well worth paging through the slides to see what tips you can glean.
E.g. did you know gmail has an audit API that you can mine for admin actions, sign in locations and setting up of forwarding rules etc. Prime ways to spot compromised accounts / attacks