This detection rule identifies the deletion of Azure Restore Point Collections by users who have not previously performed such actions. Restore Point Collections are critical for maintaining point-in-time recovery capabilities for virtual machines. The rule aims to detect potential unauthorized activities, particularly in the context of ransomware attacks or other malicious operations aimed at disrupting recovery efforts. The detection leverages Azure activity logs to track deletion events and correlates them against known user activity patterns. If such a deletion is initiated by a user without historical engagement in this operation, it flags potential security incidents warranting further investigation. This is crucial as adversaries may delete these collections to hinder recovery and obscure their tracks after unauthorized activity. The rule is designed to mitigate risks associated with improper deletions and to prompt thorough analyses when unexpected user behaviors arise.