This rule identifies the deletion of Logging buckets in Google Cloud Platform (GCP), which are crucial containers for log data management. Deleted buckets enter a pending state for 7 days during which logs are still routed to them. The rule serves as a security mechanism to detect potential evasion tactics employed by adversaries to delete log buckets, thereby obscuring their malicious activities. By monitoring specific audit logs for events classified under google.logging.v*.ConfigServiceV*.DeleteBucket, security analysts can quickly identify unauthorized deletion attempts. If deletion events are confirmed, specific investigation steps include verifying user identities, evaluating log sink configurations, and reviewing IAM roles to improve overall security posture and reduce risk of data loss and unauthorized access.