This detection rule identifies instances where an account is created and subsequently deleted in a short time frame, which could indicate potential malicious activity or misuse of administrative privileges. The rule targets activity within Azure audit logs and focuses on successful user management actions, specifically looking for messages indicating 'Add user' and 'Delete user'. A close temporal relationship between account creation and deletion serves as a red flag for threat detection teams, suggesting that a user may be created to perform unauthorized actions before being removed swiftly to cover tracks. The detection is categorized under high severity due to its potential indicators of compromise and is relevant for organizations looking to monitor user account lifecycle management more rigorously. Note that while detecting this event could enhance security postures, legitimate administrative actions may also trigger this alert, necessitating a further investigation to differentiate between malicious and approved changes.