This rule detects the deletion of an Azure SQL Server which is a critical operation that results in the loss of the entire database instance and all contained databases. The operation is monitored through Azure MonitorActivity logs for deletions related to SQL Servers. When a server deletion is detected, the rule analyzes the associated caller IP address to identify potential threats or misuse of credentials, especially checking against known cloud providers or threat intelligence indicators. This proactive monitoring helps organizations react quickly to unintended or malicious changes in their Azure environment. The rule is currently experimental, and queries are suggested to assess the scope of deletions and correlate with other activities related to resource deletions. The rule utilizes MITRE ATT&CK tactics for identifying potential impact and data destruction activities.