The detection rule "Abnormally High Number Of Cloud Instances Destroyed" identifies potentially malicious activities by monitoring cloud infrastructure logs for significant anomalies in the volume of cloud instances deleted over a 4-hour window. By applying a probability density model, this analytic flags outliers that may indicate insider threats or unauthorized account access aimed at disrupting services. A sudden surge in deleted instances can lead to operational downtime, data loss, and financial ramifications, making prompt investigation crucial. Key components of the implementation include ingesting cloud infrastructure logs, creating a baseline for expected instance deletion behavior, and adjusting the rule for known false positives, particularly from service accounts that may inherently have high deletion rates.