This analytic rule detects the deletion of user accounts on Windows systems using the net.exe or net1.exe command-line tools. It analyzes data sourced from Endpoint Detection and Response (EDR) logs, particularly focusing on process execution and command-line parameters. Deleting user accounts via these commands can signify either a legitimate administrative action or a malicious attempt to disrupt user access or hide Indicators of Compromise (IoCs) during lateral movement in attacks. This detection mechanism is crucial for maintaining system integrity and supporting incident response efforts by identifying suspicious user deletion activities that require further investigation.