LogonTracer is a tool to investigate malicious logons by visualizing and analyzing Windows Active Directory event logs. In many of our incident response cases, LogonTracer is able to detect malicious logons. Since we introduced this tool at CODE BLUE 2018, we have received a lot of feedback and continue updating it.
LogonTracer is designed mainly for DFIR at present. We received many requests for using this tool for real-time log analysis, so we have added a new function for that purpose.
A new version of LogonTracer v1.5 has added the function to analyze AD event logs stored in Elasticsearch. Many real-time log analysis systems monitor thresholds and specific event IDs, and they also require additional logs such as network traffic logs. LogonTracer can investigate malicious logons by visualization and machine learning based on event logs only.
LogonTracer is an open source tool and the best suitable solution for real-time monitoring on malicious logons to Windows network.