This detection rule monitors modifications or deletions of AWS Elastic File System (EFS) fileshares. The primary event targeted is the 'DeleteFileSystem' API call made through AWS CloudTrail logs, which indicates that an EFS fileshare is being deleted. The rule is designed to trigger an alert when this action occurs, as it may signify malicious activities such as unauthorized access or attempts to disrupt services. Notably, the deletion of an EFS fileshare is not straightforward; if it is in use, any associated mount targets must first be deleted prior to the deletion of the fileshare itself. This creates a sequence of potential indications of compromise if multiple related events are captured within a short period during suspicious operational hours. Therefore, monitoring modifications or deletions can help inform security teams of potential adversarial behaviors aimed at data disruption in AWS environments.