This detection rule monitors and identifies deletions of Active Directory (AD) Group Policy Objects (GPOs) using the Windows Security Event log, specifically Event Code 5136. The detection mechanism extracts relevant information by evaluating changes in the 'gpLink' attribute, which signifies the association of a policy with a GPO. When an event is recorded, the rule tracks details about the operation type, including old and new values of the GPO, and relates them to the affected Object Distinguished Name (ObjectDN). This also includes correlation with Active Directory Monitoring (AdMon) data to retrieve the display name of the deleted GPO for clearer identification. Alerts can be generated when discrepancies between old and new distinguished names are detected, indicating that a GPO has been deleted. This feature enhances visibility and auditing capabilities, helping organizations maintain security and compliance around critical AD configurations.