This detection rule identifies when EVTX event log files are deleted on Windows systems, specifically targeting files located in the C:\Windows\System32\winevt\Logs\ directory. The deletion of these files could signify an attempt to eliminate forensic evidence, aligning with tactics used in defense evasion as defined by attack techniques such as T1070. By monitoring for this specific file system activity, security teams can respond to potential malicious actions aimed at obscuring user activity or system events. The rule is classified as a medium-level alert and may have false positives due to potential legitimate system administration activities that involve log management.