diff --git a/rules/zscaler_rules/zia/zia_log_streaming_disabled.py b/rules/zscaler_rules/zia/zia_log_streaming_disabled.py
new file mode 100644
index 000000000..8208c2583
--- /dev/null
+++ b/rules/zscaler_rules/zia/zia_log_streaming_disabled.py
@@ -0,0 +1,31 @@
+from panther_zscaler_helpers import zia_alert_context, zia_success
+from pygments.lexer import default
+
+
+def rule(event):
+    if not zia_success(event):
+        return False
+    action = event.deep_get("event", "action", default="ACTION_NOT_FOUND")
+    category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND")
+    if action == "DELETE" and category == "NSS":
+        return True
+    return False
+
+
+def title(event):
+    cloud_connection_url = event.deep_get(
+        "event",
+        "preaction",
+        "cloudNssSiemConfiguration",
+        "connectionURL",
+        default="<CLOUD_CONNECTION_URL_NOT_FOUND>",
+    )
+    return (
+        f"[Zscaler.ZIA]: Log streaming for location [{cloud_connection_url}] "
+        f"was deleted by admin with id "
+        f"[{event.deep_get('event', 'adminid', default='<ADMIN_ID_NOT_FOUND>')}]"
+    )
+
+
+def alert_context(event):
+    return zia_alert_context(event)
diff --git a/rules/zscaler_rules/zia/zia_log_streaming_disabled.yml b/rules/zscaler_rules/zia/zia_log_streaming_disabled.yml
new file mode 100644
index 000000000..0c481ed3e
--- /dev/null
+++ b/rules/zscaler_rules/zia/zia_log_streaming_disabled.yml
@@ -0,0 +1,159 @@
+AnalysisType: rule
+RuleID: ZIA.Log.Streaming.Disabled
+Description: This rule detects when ZIA log streaming was disabled.
+DisplayName: ZIA Log Streaming Disabled
+Runbook: Verify that this change was planned. If not, make sure to restore previous settings.
+Reference: https://help.zscaler.com/zia/about-nss-feeds
+Enabled: true
+Filename: zia_log_streaming_disabled.py
+Severity: Medium
+Reports:
+  MITRE ATT&CK:
+    - TA0005:T1562.008 # Disable or Modify Cloud Logs
+LogTypes:
+  - Zscaler.ZIA.AdminAuditLog
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: Log streaming disabled (NSS deleted)
+    ExpectedResult: true
+    Log:
+      {
+        "event": {
+          "action": "DELETE",
+          "adminid": "admin@test.zscalerbeta.net",
+          "auditlogtype": "ZIA",
+          "category": "NSS",
+          "clientip": "1.2.3.4",
+          "errorcode": "None",
+          "interface": "UI",
+          "postaction": { },
+          "preaction": {
+            "cloudNss": true,
+            "cloudNssSiemConfiguration": {
+              "connectionHeaders": [
+                "123:123"
+              ],
+              "connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786656f20",
+              "lastSuccessFullTest": 0,
+              "maxBatchSize": 512,
+              "nssType": "NSS_FOR_WEB",
+              "oAuthAuthentication": false,
+              "siemType": "OTHER",
+              "testConnectivityCode": 0
+            },
+            "customEscapedCharacter": [
+              "ASCII_44",
+              "ASCII_92",
+              "ASCII_34"
+            ],
+            "duplicateLogs": 0,
+            "epsRateLimit": 0,
+            "feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n",
+            "feedStatus": "ENABLED",
+            "id": 2898,
+            "jsonArrayToggle": true,
+            "name": "test-feed-2",
+            "nssFeedType": "JSON",
+            "nssFilter": {
+              "securityFeedFilter": false
+            },
+            "nssLogType": "WEBLOG",
+            "timeZone": "GMT",
+            "userObfuscation": "DISABLED"
+          },
+          "recordid": "371",
+          "resource": "test-feed-2",
+          "result": "SUCCESS",
+          "subcategory": "NSS_FEED",
+          "time": "2024-11-04 16:34:34.000000000"
+        },
+        "sourcetype": "zscalernss-audit"
+      }
+  - Name: NSS created
+    ExpectedResult: false
+    Log:
+      {
+        "event": {
+          "action": "CREATE",
+          "adminid": "admin@test.zscalerbeta.net",
+          "auditlogtype": "ZIA",
+          "category": "NSS",
+          "clientip": "1.2.3.4",
+          "errorcode": "None",
+          "interface": "UI",
+          "postaction": {
+            "cloudNss": true,
+            "cloudNssSiemConfiguration": {
+              "clientSecret": "******",
+              "connectionHeaders": [
+                "123:123"
+              ],
+              "connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786656f20",
+              "lastSuccessFullTest": 0,
+              "maxBatchSize": 512,
+              "nssType": "NSS_FOR_WEB",
+              "oAuthAuthentication": false,
+              "siemType": "OTHER",
+              "testConnectivityCode": 0
+            },
+            "customEscapedCharacter": [
+              "ASCII_44",
+              "ASCII_92",
+              "ASCII_34"
+            ],
+            "duplicateLogs": 0,
+            "epsRateLimit": 0,
+            "feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n",
+            "feedStatus": "ENABLED",
+            "id": 2898,
+            "jsonArrayToggle": true,
+            "name": "test-feed-2",
+            "nssFeedType": "JSON",
+            "nssFilter": {
+              "securityFeedFilter": false
+            },
+            "nssLogType": "WEBLOG",
+            "timeZone": "GMT",
+            "userObfuscation": "DISABLED"
+          },
+          "preaction": {
+            "cloudNss": true,
+            "cloudNssSiemConfiguration": {
+              "connectionHeaders": [
+                "123:123"
+              ],
+              "connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786621f20",
+              "maxBatchSize": 524288,
+              "nssType": "NSS_FOR_WEB",
+              "oAuthAuthentication": false,
+              "siemType": "OTHER"
+            },
+            "customEscapedCharacter": [
+              "ASCII_44",
+              "ASCII_92",
+              "ASCII_34"
+            ],
+            "duplicateLogs": 0,
+            "epsRateLimit": 0,
+            "feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n",
+            "feedStatus": "ENABLED",
+            "id": 0,
+            "jsonArrayToggle": true,
+            "name": "test-feed-2",
+            "nssFeedType": "JSON",
+            "nssFilter": {
+              "securityFeedFilter": false
+            },
+            "nssLogType": "WEBLOG",
+            "siemConfiguration": { },
+            "timeZone": "GMT"
+          },
+          "recordid": "370",
+          "resource": "test-feed-2",
+          "result": "SUCCESS",
+          "subcategory": "NSS_FEED",
+          "time": "2024-11-04 16:33:48.000000000"
+        },
+        "sourcetype": "zscalernss-audit"
+      }