This detection rule aims to identify unauthorized deletions of Apache Tomcat WebServer log files, which could signify an adversary's attempt to erase digital footprints and cover up malicious activities or breaches. The rule is focused on tracking files within the Tomcat directory, specifically targeting log files that typically begin with 'catalina', '_access_log', or 'localhost'. By monitoring for any delete operations on these files, security teams can receive alerts on potentially suspicious activities that should be investigated further. The detection leverages file deletion events on Windows, making it crucial for environments where Tomcat is deployed. Additionally, it includes known false positive scenarios, such as log rotation or server uninstallation, to reduce unnecessary alerts. Overall, this rule enhances the security posture of systems hosting Tomcat applications by detecting potential defense evasion tactics employed by attackers.