This detection rule identifies when a user has disabled or deleted an AWS EventBridge rule. Such actions can lead to a loss of visibility across applications or disrupt interactions with other AWS services. The rule leverages AWS CloudTrail logs to monitor actions related to the DisableRule and DeleteRule events within EventBridge. It aims to flag unauthorized modifications that could indicate misuse or compromise. The detection includes a comprehensive guide for investigating these actions, detailing how to analyze CloudTrail logs, assess user permissions, and verify the intent behind the changes made. The rule further provides strategies to handle false positives originating from legitimate administrative actions, automation scripts, or approved maintenance activities.