This rule detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In a multi-account GuardDuty deployment, a delegated administrator aggregates findings from member accounts, providing centralized visibility critical for threat detection. Adversaries may attempt to break this relationship by disassociating member accounts, deleting member relationships, stopping monitoring of members, or deleting pending invitations, allowing them to operate undetected. The API actions examined include `DisassociateFromMasterAccount`,`DeleteMembers`, `StopMonitoringMembers`, and `DeleteInvitations`, which are rare operational actions indicating either account compromise or preparations to disable GuardDuty. The rule notes the importance of investigating unusual API call success, validating user identity, and assessing patterns in the request context to avoid false positives that may arise during legitimate administrative changes.