LoFP / during uninstallation of the tomcat server

Techniques

t1070

Sample rules

Tomcat WebServer Logs Deleted

source: sigma
technicques:
- t1070

Description

Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence

Detection logic

condition: selection
selection:
  TargetFilename|contains:
  - catalina.
  - _access_log.
  - localhost.
  TargetFilename|contains|all:
  - \Tomcat
  - \logs\