This detection rule is specifically designed to monitor and alert on the deletion of Azure Storage immutability policies. These policies provide Write Once Read Many (WORM) protection for cloud storage data, ensuring that once data is protected under such a policy, it cannot be modified or deleted — even by administrators. A trend has emerged where certain ransomware actors, particularly associated with the Storm-0501 group, target these policies as a precursor to executing their attacks. By disabling immutability, they prepare for subsequent data encryption, making it a critical indicator of impending ransomware incidents. The rule leverages Azure Monitor Activity logs to track immutability policy deletions alongside related operations that signal defense evasion tactics, providing a holistic view of potential cloud-based threats. The response includes analyzing logs for the identity and IP of the caller, and cross-referencing various logs to assess the breadth of the attack.