The detection rule Azure Alert Rules Deleted is designed to identify instances where alert rules within Microsoft Azure are deleted. The deletion of alert rules is a significant action as it can disable critical security notifications, making it a potential technique employed by adversaries to evade defenses. This rule monitors Azure Monitor Activity logs specifically for operations linked to alert rule deletions, enabling organizations to maintain awareness of changes that could compromise security posture. To execute this rule effectively, it queries the Azure Monitor Activity logs for deletions performed on alert rules and associated notifications both prior to and following the deletion event, assessing patterns for potential malicious activity. Significant components of the rule include examining the caller IP address against threat intelligence sources to determine if it originates from known malicious services or corporate networks. Additionally, reviews of recent security and monitoring configuration changes are also performed to ascertain if these deletions form part of a broader defensive evasion strategy. The rule is tagged under defense evasion and associated impacts to cloud logging, indicating its relevance to maintaining secure cloud environments.