This detection rule identifies when Azure action groups are deleted. Such deletions may negatively impact alert notifications that security teams rely on for timely incident responses. The rule focuses on monitoring Azure Monitor Activity logs for any deletion operations related to action groups, especially looking for a pattern of multiple deletions in a short timeframe, which may indicate a defense evasion tactic. It assesses the source IP addresses of deletion requests to determine their legitimacy and cross-references them with known bad actors or unusual locations. Additionally, it checks for other suspicious activities involving Azure alert rule deletions or modifications to monitoring infrastructure to paint a clearer picture of a possible targeted attack or operational disruption.