This detection rule identifies anomalous spikes in API activity related to the deletion of S3 buckets within an AWS environment. It uses AWS CloudTrail logs as the primary data source to analyze deletion events, establishing a historical baseline to compare current activities against. If the number of deletion actions surpasses an expected threshold, it raises an alert, suggesting the potential of malicious behavior such as data exfiltration or unauthorized data loss. This is critical as such deletions could lead to significant data loss and exposure of sensitive information. The rule specifies conditions based on statistical evaluations to discern legitimate spikes in activity from normal fluctuations, requiring immediate investigation when such anomalies are detected.