The Azure Resource Group Deleted detection rule is designed to identify the event of an Azure Resource Group being deleted, which can signify potential malicious activity or legitimate maintenance actions. When a resource group is deleted, all resources it contains are also removed, leading to severe impact, especially if done maliciously. This rule monitors Azure Monitor Activity logs for actions related to resource deletion and performs correlated investigation steps to ascertain whether the deletion was part of a larger pattern or if it occurred from a suspicious IP address. The rule has a medium severity due to the potential for significant data destruction depending on the resource group contents. The recommended response includes analyzing the deletion's context, checking for patterns of prior destruction, and utilizing threat intelligence to evaluate the source IP address. The rule's experimental status suggests it is still undergoing refinement based on effectiveness and feedback.