This detection rule identifies the deletion of Internet Information Services (IIS) Web Server access logs on Windows systems. Log files stored under \inetpub\logs\LogFiles\ with a .log extension are monitored for deletion events, which may indicate a deliberate attempt to erase critical logs that could be useful in forensic investigations. Such actions can be associated with defensive evasion tactics where malicious actors aim to cover their tracks after a potentially malicious activity. Correlating log file deletions with user actions can help identify unauthorized access and mitigate risks. The rule is based on the observation that the absence of log files could directly relate to security breaches or data loss incidents. Contextual awareness is recommended to reduce false positives, as legitimate activities such as uninstallation of the IIS service or log rotation could trigger this rule as well.