This detection rule is designed to identify the deletion of user or group accounts on Linux systems, which is a tactic often employed by adversaries to cover their tracks or disrupt operations. The rule utilizes Elastic Query Language (EQL) to scan logs collected by Filebeat, specifically targeting events related to successful deletions of user or group entries. The rule's setup requires the Filebeat System Module to be enabled, ensuring that logs from the system logging service are collected and parsed correctly. Adversaries may exploit account deletions as part of a broader strategy to erase indicators of compromise, making this rule valuable for threat detection in Linux environments. The rule assigns a low risk score, indicating that while the action is suspicious, it may require additional context to confirm malicious intent.