An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.
Stage data on an endpoint in the organization.
Check for any other suspicious activity related to the host and the user involved in the alert.