Techniques
Sample rules
IIS WebServer Access Logs Deleted
- source: sigma
- technicques:
- t1070
Description
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
Detection logic
condition: selection
selection:
TargetFilename|contains: \inetpub\logs\LogFiles\
TargetFilename|endswith: .log