The rule 'Wiz User Created Or Deleted' is designed to monitor the creation and deletion of user accounts within the Wiz platform, which is an essential aspect of user management and governance in cloud services. It functions by analyzing audit logs generated by the Wiz platform, specifically looking for events indicating the addition or removal of users. The detection employs specific log types categorized under 'Wiz.Audit'. The detection mechanism is configured to trigger on a threshold of one event within a 60-minute deduplication period. Events are evaluated in the context of best practices for user identity management in the cloud, enabling organizations to ensure that any changes to user access are pre-approved and conducted in line with established security policies. Additionally, the rule is associated with MITRE ATT&CK tactics related to account manipulation, allowing security teams to effectively respond to potential security incidents involving user management.