The detection rule titled 'ZIA Account Access Removed' is designed to monitor and alert for the deletion of administrative roles or users in the Zscaler Internet Access (ZIA) system. This rule is triggered specifically when an administrator account is removed, which could indicate potential unauthorized access or a security breach. When an admin access removal event occurs, it logs essential details such as the action performed, triggering user, the affected account, and the method of deletion (e.g., through the UI). The logs are sourced from the ZIA Admin Audit Log, ensuring compliance and traceability. To mitigate risks, it also incorporates a runbook, suggesting verification of planned changes, and a procedure to revert unauthorized removals to maintain administrative integrity.