This detection rule monitors actions executed within the Sublime application regarding the deletion or deactivation of message sources. It triggers an alert if a user has disabled or deleted a message source, which could signify an unauthorized change or malicious intent, especially if the action seems abnormal or lacks a valid business reason. The rule captures events from the Sublime Audit log and specifies that if such an event is detected, security teams should investigate further and ascertain whether it was done for legitimate purposes. Organizations are encouraged to re-enable any critical message sources as necessary to maintain operational integrity and secure their environments against potential threats. The rule is classified as medium severity, and requires further assessment of user actions to determine if standard operating procedures are being followed.