Missing detection coverage for Azure recovery services being deleted. These are typically vaults in Azure that contain data for copies of VMs, workloads, servers, etc., regarding IaaS. Deleting these recovery services can not only impact the capability to backup from stable operations, but also inhibit disaster recovery services during ransom-based attacks or operational mishaps.

We should make this a building block rule with intentions to craft more specific rules or correlation rules at a later point due to missing coverage entirely focusing on any Recovery Services deletion.

This is related to STORM-0501 ransom-based operations that involve deleting recovery service points, specifically vaults with fabric backup containers (Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete)

Emulation was completed to test the following query:

event.dataset: azure.activitylogs and
    azure.activitylogs.operation_name: MICROSOFT.RECOVERYSERVICES/*/DELETE and
    event.outcome: success