This detection rule monitors AWS CloudTrail logs for any instances of the 'DeleteTrail' event, which could indicate an adversary attempting to delete CloudTrail trails to evade detection mechanisms. The logic queries the AWS CloudTrail for events within the last two hours where an 'AwsApiCall' is made specifically targeting the deletion of trails. This behavior is associated with the LUCR-3 threat actor, known for employing tactics to disable cloud logging as a form of defense evasion. The technique aligns with MITRE ATT&CK technique T1562.008, which is specifically focused on impairing defenses by disabling cloud logs. The reference URL links to AWS documentation for 'DeleteTrail', providing additional context on the API call and its implications.