LogonTracer
by JPCERTCC
LogonTracer visualizes and analyzes Windows Active Directory logon event logs to investigate and detect malicious logon activities.
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Primary Use Case
Security analysts and incident responders use LogonTracer to investigate suspicious or malicious Windows logon events by correlating account names with hostnames or IP addresses through graphical visualization. It helps identify compromised accounts and malicious hosts by analyzing Windows event logs, aiding in intrusion detection and incident response.
- Visualizes Windows logon-related event IDs (4624, 4625, 4768, 4769, 4776, 4672) as graphs
- Associates hostnames/IP addresses with account names in logon events
- Uses PageRank, Hidden Markov Model, and ChangeFinder algorithms to detect malicious hosts and accounts
- Displays event logs in chronological order with timeline visualization
- Built on Python 3 with Neo4j graph database backend
- Interactive graph visualization using Cytoscape
- Provides Docker image for easy deployment
- Includes Flask-based web interface for user interaction
Installation
- Refer to the official installation guide at https://github.com/JPCERTCC/LogonTracer/wiki/how-to-install
- Alternatively, use Docker by following instructions at https://github.com/JPCERTCC/LogonTracer/wiki/jump-start-with-docker
Usage
>_ python LogonTracer.py -i <eventlog.evtx>Import and analyze a Windows event log file
>_ python LogonTracer.py -sStart the LogonTracer web service for interactive analysis
>_ docker pull jpcertcc/docker-logontracerDownload the official LogonTracer Docker image
>_ docker run -p 127.0.0.1:5000:5000 jpcertcc/docker-logontracerRun LogonTracer Docker container and expose the web interface locally
- Integrate LogonTracer with SIEM platforms to enhance detection of lateral movement and compromised accounts.
- Leverage the graph visualization to train SOC analysts on recognizing abnormal logon patterns and attack paths.
- Automate alerting workflows by correlating LogonTracer outputs with threat intelligence feeds for faster incident response.
- Use the timeline visualization feature to reconstruct attack timelines during forensic investigations.
- Deploy as a containerized service for scalable analysis in large Active Directory environments.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about LogonTracer. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
rustdesk
rustdesk/rustdesk
An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer.
osquery
osquery/osquery
SQL powered operating system instrumentation, monitoring, and analytics.
macOS-Security-and-Privacy-Guide
drduh/macOS-Security-and-Privacy-Guide
Community guide to securing and improving privacy on macOS.
How-To-Secure-A-Linux-Server
imthenachoman/How-To-Secure-A-Linux-Server
An evolving how-to guide for securing a Linux server.
Atlas
Atlas-OS/Atlas
🚀 An open and lightweight modification to Windows, designed to optimize performance, privacy and usability.
fail2ban
fail2ban/fail2ban
Daemon to ban hosts that cause multiple authentication errors