The analytic rule detects AWS 'DeleteTrail' events logged within CloudTrail logs, utilizing data from Amazon Security Lake in the Open Cybersecurity Schema Framework (OCSF) format. Deleting a CloudTrail is a critical action that adversaries may perform to obfuscate their activities and evade detection. This rule aims to identify any deletion of CloudTrail logs, which if confirmed as malicious, indicates a potential threat as it allows attackers to conceal their operations, leading to difficulties in auditing and investigation within the AWS environment. Implementing this detection necessitates the ingestion of CloudTrail logs into Splunk, ensuring the appropriate AWS Add-on version is in use.