The rule 'Azure Diagnostic Settings Deleted' is designed to detect the deletion of diagnostic settings in Azure, which is a critical component for logging and monitoring activities. The deletion of these settings poses a significant security risk as it can be exploited by malicious actors to disable tracking mechanisms and hide their activities. When an alert is triggered, it indicates that the logging and monitoring capabilities have been turned off for a resource, potentially signaling an attempt to conceal unauthorized actions. The rule is categorized under medium severity and is currently in the experimental phase, having implications for defense evasion and impairment of defenses. The detection leverages Azure Monitor Activity logs, specifically targeting operations related to diagnostic settings. Investigative steps include querying logs to identify potentially correlated deletion events, checking the source IP for associations with known infrastructures, and examining recent activities from the user or IP to determine if they align with sophistication typically attributed to defense evasion tactics.