LogonTracer

LogonTracer is a security auditing tool designed for logon analysis and forensic log auditing. It functions as a dockerized security auditor that utilizes a security event graph database to map account names and network addresses, allowing for the visualization of complex system compromise patterns and authentication paths.

The system features a Sigma detection engine that scans imported event logs against standardized rule sets to identify known malicious activity. It also includes an anomalous behavior detector that applies statistical analysis, graph algorithms, and hidden Markov models to identify suspicious hosts and user accounts.

The tool manages security investigations through case-isolated data storage and independent databases with per-user access controls. Its broader capabilities include security log ingestion, AI-powered threat analysis, and certificate-based network encryption for securing data during transit.

The application is provided as a container image to ensure consistent installation and runtime across different operating systems.

Features

Authentication Pattern Analysis - Tracks user authentication patterns within system logs to identify security risks and potential account compromises.

Forensic Log Auditors - Provides a dockerized security auditor for managing isolated investigation cases and performing forensic log analysis.

Relational Visualizations - Maps account names and network addresses into a graph to visually identify patterns of system compromise.

Hidden Markov Model Detection - Utilizes hidden Markov models and statistical algorithms to identify suspicious behavioral patterns across hosts and accounts.

Graph Databases - Utilizes a relational graph database to map accounts and network addresses for compromise pattern visualization.

Graph-Relational Databases - Maps account and network data into a graph database to analyze complex authentication paths.

User Behavior Analysis - Applies statistical analysis, graph algorithms, and Markov models to identify suspicious user and host behavior.

Rule-Based Detection Engines - Evaluates imported event data against standardized Sigma rule sets to identify malicious activity.

Behavioral Analysis Engines - Applies graph algorithms and hidden Markov models to detect anomalous security behavior among hosts and accounts.

User Behavior Anomaly Detection - Uses mathematical models and ranking algorithms to identify suspicious host and user account behavior.

Sigma Rule Matching - Evaluates event logs against standardized Sigma rule sets to identify known malicious activity.

Threat Relationship Visualizations - Maps account names and network addresses into a graph to visually identify system compromise patterns.

Event Logging - Converts raw event logs into searchable graph databases to enable relational analysis and security investigations.

Anomaly Detection - Uses mathematical models and ranking algorithms to identify suspicious hosts and accounts within event logs.

Log Ingestion - Ingests raw event data into a graph database to enable complex relational security analysis.

Threat - Scans imported logs against standardized Sigma rule sets to identify known malicious activity.

Case-Isolated Storage - Implements independent data silos for separate security investigation cases to maintain strict access control.

AI-Powered Threat Detection - Provides an AI-powered engine that assesses risk against known attack tactics to generate automated detection rules.

Investigation Case Management - Provides isolated investigation databases with per-user access controls to maintain separate security audits.

Event Log Importing - Converts raw log data into a searchable database using custom timezones and date filters.

Log Analysis Tools - Visualizes and analyzes Windows logon events.

Windows Artifact Analysis - Visualizes and analyzes Windows logon activity.

Digital Forensics - Tool for visualizing and analyzing Windows logon events.

Incident Response Frameworks - Visualizes and analyzes Windows event logs to investigate malicious logons.

Windows Artifact Analysis - Tool for visualizing and analyzing Windows logon events.

JPCERTCCLogonTracer

Features

Star history