This rule detects the deletion of backup files utilizing third-party software, specifically focusing on processes that are not part of the designated backup suite (like Veritas and Veeam). Ransomware attacks often target backup files, as deleting or manipulating these files can leave victims without recovery options. The rule identifies these deletions by monitoring file events and comparing them against expected legitimate processes. It uses EQL (Event Query Language) to filter through logs from various data sources to identify potentially malicious activity. The rule includes specific file extensions associated with the mentioned backup products and ensures the associated processes are not recognized as legitimate. It also encompasses responses to identified incidents and outlines triage actions to investigate suspicious activities thoroughly.