This rule detects the deletion of Amazon Elastic File System (EFS) file systems or mount targets, activities that can indicate malicious actions aiming to disrupt services that rely on these resources. Adversaries may attempt to delete a mount target to incapacitate associated instances or applications. The rule leverages AWS CloudTrail logs to monitor successful deletion events, signaling potential threats to data integrity or availability. The detection focuses on the identification of the user or role associated with deletion activities, analyzing related events, and establishing a response protocol to mitigate risks. False positives may arise from legitimate administrative actions or automated processes, therefore appropriate exceptions or modifications to the monitoring strategy are necessary to enhance detection accuracy without compromising operational continuity.