The Azure Key Vault Deleted rule monitors and alerts on the deletion of Azure Key Vaults, which is a critical operation that could signify ransomware activity or malicious intent to destroy secrets and encryption keys. The rule is designed to detect when a Key Vault is deleted by analyzing logs from Azure Monitor Activity for any deletion commands. The severity of this rule is classified as Medium, reflecting its potential implications on sensitive data management and system security. Since any deletion operation can be destructive, the rule encourages proactive investigation through a comprehensive runbook that outlines steps to verify the authenticity of the deletion and assess the wider impact of such actions across Azure resources. It utilizes specific attributes from reported logs to identify the involved resource, user actions, and their origins, ensuring that investigations can uncover abnormal patterns of access and changes in the environment that may indicate broader security incidents.