When VM is being deallocated, not only the VM is being stopped. However, hardware and network resources are being released. Thus, Monitoring for Deallocate Virtual Machine events gives insight into the changes made within your cloud environment regarding virtual machines and can help reduce the time for detecting unauthorized activity.
  • Recommended Mitigation

    Under Monitor -> Alerts, create an alert for 'Microsoft.Compute/virtualMachines/deallocate/action'