The detection rule titled "Sublime Mailbox Deactivated" monitors for events that indicate a Sublime user has deactivated mailbox(es). The rule triggers an alert when such actions occur, which could be a sign of unauthorized access or misuse of the mailbox management functionality. The rule notes that if this action was performed by a legitimate user, it should be reassessed to determine whether the mailboxes need to be re-enabled to maintain organizational security. It is important for security teams to investigate these events thoroughly to distinguish between legitimate and malicious activities, given the medium severity of these alerts. The rule relies on audit logs specifically from the Sublime platform to detect these deactivation events and incorporates a one-hour de-duplication period to avoid repetitive alerts for the same event.