This analytic rule identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, commonly used to list the IIS Modules installed on a Windows system. By capturing the module names and their corresponding DLL paths, it monitors for possible reconnaissance activities within the internet information services (IIS) server environment. Such enumeration attempts might signal an impending exploitation effort targeting identified vulnerabilities or misconfigurations in the web server setup. If an institution's Security Operations Center (SOC) recognizes this behavior as malicious, the ramifications could lead to further attacks or privilege escalations on the web server. Understanding IIS module configurations is critical for defenders, as attackers often leverage this information to undermine account security or exploit potential weaknesses in the web architecture. This rule functions by ingesting PowerShell output and using a specific Splunk search query to summarize events by host and module details, effectively enabling proactive monitoring of IIS server states.