The 'Crowdstrike Ephemeral User Account' correlation rule is designed to monitor the creation and deletion of user accounts within a short timeframe, specifically 12 hours. This rule targets potentially malicious behavior wherein an adversary may establish short-lived or ephemeral user accounts to avoid detection or scrutiny within a network. The detection mechanism leverages a sequence correlation strategy where a newly created user account is immediately followed by its deletion. If both events are logged and occur within a 720-minute window (12 hours), an alert is generated to indicate suspicious activity. The rule has a lookback period of 2160 minutes (36 hours) and operates on a daily scheduling rate to check for violations of this policy. The severity is rated as high due to the potential risks associated with unauthorized user accounts being created and removed in rapid succession. Tests validate the effectiveness of the alerting mechanism, checking for scenarios where an account is created and then deleted, ensuring the rule captures legitimate risks and avoids false positives.