This analytic rule is designed to detect a suspicious activity involving the deletion of multiple Windows user accounts within a short time frame. Specifically, it triggers when more than five unique accounts are deleted in a 10-minute window, as recorded by Windows Event Log Security Event Code 4726, which denotes successful deletions. The search utilizes the `wineventlog_security` dataset, allowing for the collection and analysis of relevant event data segmented by time. Such rapid account deletions could be indicative of malicious behavior, where an attacker attempts to clean up their tracks or hinder incident response efforts by removing user access rights. It is essential for organizations to remain vigilant against such activities as they may lead to unauthorized access and complications in forensic investigations.