This rule identifies when a single user deletes multiple Azure Restore Point Collections within a brief time period. Restore Point Collections play a crucial role in disaster recovery by providing point-in-time recovery capabilities for virtual machines. The mass deletion of these collections is a common tactic used by adversaries, particularly during ransomware attacks, to hinder victim recovery efforts or amplify the destruction during an attack. Events of multiple deletions occurring in rapid succession may suggest malicious intent. The detection leverages activity logs from Azure, specifically targeting event actions related to the deletion of restore point collections. Key investigative measures include reviewing user activity logs to determine the legitimacy of deletions, checking for unauthorized access, and correlating with other suspicious behaviors indicative of ransomware activity.