This detection rule identifies potential adversarial activities involving the unauthorized deletion of GCP audit logs. Audit logs are critical for maintaining accountability and traceability in cloud environments, and their deletion can signify attempts by threat actors to obliterate traces of their actions or to hinder detection mechanisms. The logic implemented in this rule checks for specific log events within the GCP audit logs, filtering for entries that denote log deletions (`DeleteLog`) occurring within the last two hours. This time-sensitive approach ensures that potential threats are identified promptly, allowing for rapid incident response. The rule aligns with established threat techniques, specifically focusing on defense evasion through indicator removal (T1070) and initial access via valid accounts (T1078). By capturing events solely related to log deletions, the rule narrows down its focus to credible threats actively trying to manipulate or erase digital evidence. The efficacy of this detection relies on timely log collection and analysis within the specified timeframe, helping organizations safeguard their cloud environments against malicious actions.