This detection rule identifies when an Amazon S3 bucket, which contains CloudTrail logs, alters its lifecycle rules to delete data after a short period, i.e., less than 30 days. A short retention period can severely limit audit capabilities and is often associated with potential malicious activities or misconfigurations that intend to compromise logging integrity. The rule looks for changes in the lifecycle configuration of buckets specifically designated for storing CloudTrail logs, checking for expiration dates that are set to one day or other unreasonably short durations. It connects to the MITRE ATT&CK framework under the technique of impeding logging capabilities (TA0005:T1562.008). The rule triggers alerts for any such modifications, and response actions are suggested through an integrated runbook, which advises verifying bucket content and possibly implementing filters to mitigate future instances of false positives.