LogonTracer visualizes and analyzes Windows Active Directory logon event logs to investigate and detect malicious logon activities.
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Security analysts and incident responders use LogonTracer to investigate suspicious or malicious Windows logon events by correlating account names with hostnames or IP addresses through graphical visualization. It helps identify compromised accounts and malicious hosts by analyzing Windows event logs, aiding in intrusion detection and incident response.
LogonTracer requires Neo4j graph database to be installed and running for data storage and query. Users should ensure Windows event logs are properly collected and formatted (EVTX) for accurate analysis. Leveraging Docker simplifies deployment and dependency management. Familiarity with Windows event IDs and Active Directory environments enhances effective use.
Refer to the official installation guide at https://github.com/JPCERTCC/LogonTracer/wiki/how-to-install
Alternatively, use Docker by following instructions at https://github.com/JPCERTCC/LogonTracer/wiki/jump-start-with-dockerpython LogonTracer.py -i <eventlog.evtx>
Import and analyze a Windows event log file
python LogonTracer.py -s
Start the LogonTracer web service for interactive analysis
docker pull jpcertcc/docker-logontracer
Download the official LogonTracer Docker image
docker run -p 127.0.0.1:5000:5000 jpcertcc/docker-logontracer
Run LogonTracer Docker container and expose the web interface locally