This rule is designed to monitor and detect the deletion of security-enabled global groups within a Windows environment. Such activities can indicate potential malicious behavior, particularly in scenarios where an attacker aims to manipulate user permissions or disrupt access controls. The rule utilizes specific Windows Event IDs (4730 for deletion of a security-enabled global group and 634 for deletion of a group) to flag these actions. Properly identifying these events is crucial for maintaining the integrity and security of user access and permissions in an organization. Given that the rule has a low false positive rate but has been flagged as a 'low' severity, it is still essential for security teams to investigate these events to ensure they are legitimate actions taken by authorized personnel and not indicative of larger security incidents.