This detection rule identifies the deletion of diagnostic settings in Azure. Such deletions can be a tactic employed by adversaries to evade detection and hinder logging capabilities, thereby obstructing security analysis. The rule monitors Azure activity logs for operations that relate to the removal of diagnostic settings and generates alerts when such events are recorded, specifically looking for successful deletion operations connected to the service ‘MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE’. False positives may arise from legitimate administrative actions or automated scripts that manage Azure resources or alter diagnostic settings. The rule has an associated risk score of 47, classified as medium severity, and is implemented via KQL (Kusto Query Language). The triage process involves validation of log sources, reviewing user activities, and assessment of the deleted resources to ascertain if the action was authorized.