@Thomas Friis Poulsen , see

https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites#before-you-start

"Recommended: User should have read-only permissions on the Deleted Objects container. This allows ATA to detect bulk deletion of objects in the domain. For information about configuring read-only permissions on the Deleted Objects container, see the Changing permissions on a deleted object container section in the View or Set Permissions on a Directory Objectarticle."

 

Besides detection, this can help us know an account was deleted, try this and see if it resolves the issue. 

www.000webhost.com