The 'Crowdstrike API Key Deleted' rule is designed to detect unauthorized deletions of API keys in the CrowdStrike platform. This rule operates by analyzing audit logs from the CrowdStrike Event Streams to identify actions associated with the deletion of API keys. Specifically, it targets events where the API Client ID has been referenced for deletion. The detection mechanism flags the event as significant if it observes a successful deletion operation along with relevant user attributes, such as the actor's user ID and IP address. It is crucial to validate that such an action was authorized, as unauthorized deletions could indicate malicious activity or a misconfigured access level. Additionally, the rule is configured with a medium severity level, indicating it requires attention but may not pose an immediate threat. It also has a deduplication period set for 60 minutes to prevent repetitive alerts for the same event.