The following shows IoC for directory traversal, RFI and LFI within IIS logging:

index=* sourcetype="ms:iis:default"NOT ("cookie.js" OR "script.js") AND (referer="-" OR referer="") AND (uri_query="*passwd*" OR uri_query="*cmd*" OR uri_query="*%00*" OR uri_query="*.txt*")|table _time, clientip, status, uri_query