The detection rule identifies instances where the Windows Backup Command-Line Tool (wbadmin.exe) is executed with parameters that delete backup files, specifically targeting catalog or system state backups. This behavior is typically associated with malicious activity, particularly ransomware attacks, where attackers aim to erase available backup options to complicate recovery efforts post-infection. The rule utilizes data from Endpoint Detection and Response (EDR) sources, leveraging logs from Sysmon and Windows Event Logs to monitor processes that contain 'delete' along with 'catalog' or 'backup' keywords. It highlights the significant risk posed by these actions, as the deletion of backups can drastically hinder an organization's ability to recover from data loss incidents. The search query filters these executions and provides timestamps and additional context to assist in investigating potential threats.