The rule monitors Google Workspace Drive activity to detect bulk document deletions. It triggers when a single actorTrash-logs move more than 10 distinct documents to the Drive trash within a 60-minute window (threshold 11). The detection relies on GSuite.ActivityEvent logs and focuses on distinct documents to avoid counting repeated events for the same item. When triggered, the rule can indicate potential accidental or malicious bulk deletion. It also cross-checks the deleted documents’ visibility (internal vs external sharing) to assess potential business impact, and it considers other suspicious activity by the same user in the prior 24 hours (e.g., bulk downloads, sharing changes, or access to sensitive documents). The rule maps to MITRE ATT&CK TA0040:T1485 (Data Destruction), is labeled as Experimental with Medium severity, and is enabled with a DedupPeriodMinutes of 60. The Runbook outlines steps to query logs around the event, enumerate deletion parameters (doc_title, doc_id, doc_type, visibility), and evaluate impact and related activity. Included tests demonstrate a standard trash event, an externally shared document trash event (high severity), and non-deletion events to verify correct signaling. The rule provides concrete test log examples showing actor, document identifiers, titles, types, and visibility for validation, with a reference to Google Drive help for behavior context.