This detection rule, titled 'OneLogin Multiple Accounts Deleted', monitors and alerts when a specified threshold for user account deletions in OneLogin exceeds a defined limit, indicating a potential denial of service (DoS) situation. The rule is activated if more than 10 user account deletion events are logged within a 10-minute window. The rule references the MITRE ATT&CK framework, particularly the tactic TA0040 related to the impact of actions on account management. It requires logs from OneLogin event types, particularly those indicating user deletions. If triggered, the incident response recommendation is to verify whether the deletions were part of routine user-cleanup activity or if they hint at malicious behavior.