This detection rule monitors Google Cloud Platform (GCP) for storage bucket deletions, a potential indicator of malicious activity aimed at disrupting business operations. It identifies events in audit logs where a 'storage.buckets.delete' action occurs, signaling that a storage bucket may have been purged. The rule is triggered by investigating these deletions, thereby allowing security teams to ascertain if the deletion was authorized or the result of a security incident. False positives may arise from legitimate administrator actions; thus, it includes guidance for differentiating between authorized maintenance and suspicious behavior. The rule is backed by GCP setup requirements, including Filebeat module alignment for effective operation.