This detection rule, titled 'ZIA Backup Deleted', is designed to identify instances when a backup created in the Zscaler Internet Access (ZIA) platform has been deleted. The rule logs events related to backup operations, specifically targeting deletion actions. It is configured to trigger when an administrative user performs a delete operation on a backup resource, as indicated by an event log that captures the action taken, the admin's identity, and relevant timestamps. The system records a successful delete action along with specifics such as the resource name and the client's IP address. If a delete operation is detected and it was not part of a planned maintenance or backup strategy, the rule suggests immediate action to verify the intent behind the deletion and potentially restore the deleted backup. The log type that this rule monitors is 'Zscaler.ZIA.AdminAuditLog', and the detected actions fall under the MITRE ATT&CK tactics of privilege escalation or data destruction (TA0005:T1562.008).