This detection rule identifies the deletion of Exchange PowerShell cmdlet history logs, focusing on specific filename patterns associated with cmdlet logs. The purpose of this oversight is to reveal deliberate attempts to erase forensic evidence, such as logs indicating malicious activity or administrative actions undertaken in the Exchange environment. By monitoring file deletions under the specified path, security teams can expose potential defenses evasion operations by threat actors aiming to cover their tracks. The rule employs a high severity level to ensure prompt response from security personnel given the criticality of preserving log data for incident response and forensic analysis. Organizations using this rule can enhance their ability to detect anomalous activities related to Exchange management and bolster their incident response strategies.