This analytic rule is designed to detect the addition of new IIS modules on a Windows IIS server by monitoring the Windows Event log at the Microsoft-IIS-Configuration/Operational source, specifically targeting EventCode 29. The significance of this detection lies in the fact that the addition of new IIS modules is an infrequent event on production servers; thus, unauthorized additions may indicate potentially malicious activity. If these newly added modules are confirmed to be malicious, attackers could exploit them to execute arbitrary code, escalate privileges, or establish persistence within the server environment, ultimately putting the server and sensitive data at risk. The implementation requires enabling the IIS Configuration Operational log in Splunk, facilitating the tracking of potentially harmful modifications to the server’s configuration.