The rule "Azure Restore Point Collection Deleted" is designed to detect the deletion of restore point collections in Azure, which could be indicative of malicious activity, particularly during ransomware attacks. These collections store vital recovery points essential for restoring virtual machines (VMs). If adversaries delete them, they aim to disrupt system recovery and erase digital footprints that could aid forensic investigations. The detection is triggered by monitoring Azure Monitor Activity logs for deletions of restore point collections, snapshots, or disks, and correlating these events with the caller's IP address to identify unusual patterns that may suggest a pre-ransomware attack. The rule includes procedures for identifying and analyzing such deletions and their potential context.