This rule monitors Dropbox TeamEvent data for file_delete actions to detect bulk deletions by a single actor within a 60-minute window. It is configured to trigger when more than 10 distinct files are deleted (threshold set to 11 to require 11 unique deletions). The detection relies on the actor identity (actor.user.email) and tracks the set of deleted assets (assets[].path.contextual). It also captures context such as whether a non-team member was involved (involve_non_team_member) and the origin IP (origin.geo_location.ip_address) to help differentiate insider from external or compromised activity. The rule is labeled Experimental and currently disabled by default, with a dedup period of 60 minutes to prevent duplicate alerts for the same activity. The rule contributes to Data Destruction detection (MITRE ATT&CK TA0040:T1485) by highlighting unusual bulk deletions in cloud storage. The Runbook outlines steps to enumerate the full set of affected assets, assess the involvement of external users or locations, and review related activity for suspicious patterns (e.g., bulk downloads, abnormal sharing, or login anomalies). It includes example tests that verify deletion events (with and without non-team member involvement) and non-delete events to validate alert logic. The threshold should be tuned to the environment to balance detection coverage and false positives. Users should consider whether bulk deletions are legitimate admin operations, and implement safeguards (e.g., change management, backups) accordingly.environment tuning, potential false positives, and integration with incident response workflows should be addressed before enabling in production.