Detects the successful deletion of an AWS Lambda function by monitoring CloudTrail logs for DeleteFunction actions originating from the lambda.amazonaws.com service. The rule looks for events where event.action is DeleteFunction (including API version variants) and event.outcome is success in the aws.cloudtrail data stream, indicating that a Lambda function and its associated code, configuration, versions, and aliases have been removed. Triggers are evaluated against the configured window (from now-6m, evaluated every 5m) and sources (logs-aws.cloudtrail-*). This detection helps identify potentially destructive or mission-critical changes, which may be legitimate (decommissioning or IaC destroy) or malicious (backdoor removal or evidence obfuscation). The rule maps to MITRE ATT&CK techniques Data Destruction (T1485) and Service Stop (T1489) under the Impact tactic (TA0040). It includes a structured triage path: verify actor identity (aws.cloudtrail.user_identity.arn, type), inspect function name (aws.cloudtrail.request_parameters.functionName), and correlate with change-management records to determine alignment with approved maintenance windows or automation. False positives commonly arise from routine decommissioning or IaC-driven deletions; validate against known automation roles and principals. Remediation guidance emphasizes restoring the function from source control or IaC definitions, reviewing for related destructive or evasive actions, rotating credentials, and restricting lambda:DeleteFunction to trusted roles. References include the AWS DeleteFunction API and CloudTrail logging guidance. Investigators should also consider cross-functional events (CreateFunction, UpdateFunctionCode, AddPermission, EventSourceMapping, and log-group deletions) to assess broader impact and confirm operational necessity of the deletion.