This detection rule identifies when a single user or service principal is responsible for the mass deletion of Azure disk snapshots occurring within a short time frame, indicating potentially malicious activity. Such behavior may suggest an adversary's attempt to inhibit system restoration capabilities, destroy backup evidence, or prepare for a ransomware attack. The rule uses the Azure activity logs to track deletions of snapshots, capturing information such as the identity responsible for the action and the status of the operation. Due to the critical nature of snapshots in disaster recovery, this activity is viewed as highly suspicious. Legitimate scenarios, such as maintenance or storage optimizations, can also trigger false positives, necessitating careful review and verification of the context surrounding the deletions. A series of investigation steps, priority alerts, and procedural responses for managed environments are outlined to handle potential incidents effectively. This detection rule is crucial for organizations relying on Azure for their storage and backup requirements.