The Azure Firewall Policy Deleted detection rule monitors the deletion of Azure Firewall policies. These policies are crucial for defining network security rules, and their removal can signal a significant threat, such as the disabling of security measures to facilitate unauthorized access or data exfiltration. The rule's intent is to detect such malicious activities by capturing events logged in Azure Monitor Activity, identifying actions that could indicate an adversary's efforts to undermine network security. This rule is classified under high severity due to its implication in defense evasion tactics defined by the MITRE ATT&CK framework, specifically under the tactic of evading defensive mechanisms. It alerts on deletions of firewall policies made by any observed IP address, while recommending further investigation through a runbook that entails querying logs for related security operations in the preceding and subsequent 24-hour periods. The tests outlined under this rule check both for successful deletion actions and ensure that no irrelevant operations trigger false positives.