This detection rule identifies when HTTP Logging is disabled in Internet Information Services (IIS) on Windows servers, an action typically undertaken by attackers to obscure their activities and evade detection. The rule uses an event query to monitor process executions that indicate the disabling of HTTP logging through the appcmd.exe command. IIS logs provide valuable security information, and disabling them is a common anti-forensics tactic employed by adversaries. The investigation notes emphasize examining the process execution chain, identifying user actions, and checking for due diligence within change management policies, as well as proper incident response for compromised systems. A robust framework for analyzing false positives and effective remediation strategies are also outlined, targeting vulnerabilities and associated risks.