This rule detects any occurrences of user deletion events within the AWS environment by monitoring AWS CloudTrail logs. The detection logic is designed to identify the 'DeleteUser' event in the CloudTrail logs that have occurred in the past two hours. The associated event time is filtered to only include recent deletions, ensuring that timely and relevant alerts are generated for security teams. User deletion can potentially signify unauthorized account manipulation or malicious actions aimed at causing data loss, making it a critical event to monitor. Furthermore, this rule connects directly to two specific techniques from the MITRE ATT&CK framework: account manipulation (T1098) and data destruction (T1485). By providing a targeted tracking mechanism for user deletions, this rule helps maintain the integrity and security of AWS accounts.