This rule detects purification actions performed on Amazon Web Services (AWS) Simple Queue Service (SQS) queues, which adversaries may exploit to disrupt operations by erasing messages or evading detection mechanisms. When an SQS queue is purged, all messages contained within it are irreversibly deleted, making this tactic a potential indicator of malicious intent, particularly if linked to unauthorized user actions. The detection rule leverages AWS CloudTrail logs to identify instances where the 'PurgeQueue' action was successfully executed, specifically aiming to flag those actions originating from unexpected or unauthorized sources. The rule provides detailed investigative steps to ascertain the legitimacy of the purge event, such as analyzing IAM user permissions, identifying the source and timing of the action, and cross-referencing related AWS activity. It also includes a thorough assessment of potential false positives resulting from legitimate administrative work or automated processes. Furthermore, the rule outlines a set of response and remediation actions focusing on immediate isolation of affected resources, restoration of critical data, and implementation of stronger monitoring and access controls. Ultimately, this threat detection rule is essential for maintaining operational integrity and enhancing security posture against potential adversarial activities targeting AWS services.