Techniques
Sample rules
IIS WebServer Access Logs Deleted
- source: sigma
- technicques:
- t1070
Description
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
Detection logic
condition: selection
selection:
TargetFilename|contains: \inetpub\logs\LogFiles\
TargetFilename|endswith: .log
Tomcat WebServer Logs Deleted
- source: sigma
- technicques:
- t1070
Description
Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
Detection logic
condition: selection
selection:
TargetFilename|contains:
- catalina.
- _access_log.
- localhost.
TargetFilename|contains|all:
- \Tomcat
- \logs\