LogonTracer v2 is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.

This tool can visualize the following event IDs related to Windows logon.

More details are described in the following documents:

• Visualise Event Logs to Identify Compromised Accounts - LogonTracer -
• イベントログを可視化して不正使用されたアカウントを調査 (Japanese)

LogonTracer v2.0 integrates an AI analysis engine using OpenAI GPT models to provide intelligent threat detection beyond traditional rule-based approaches.

• Security Pattern Analysis — Automatically interprets graph query results and generates risk assessments with MITRE ATT&CK tactic mapping
• Autonomous LLM Agent — An iterative AI agent that autonomously generates and executes Cypher queries against the Neo4j graph to discover threats without manual intervention
• AI-Generated Sigma Rules — Converts AI analysis findings into deployable Sigma detection rules
• Multi-language Support — AI responses can be generated in English, Japanese, or French

• Bundled Sigma Rules — Includes the full SigmaHQ rule set for scanning EVTX files
• Sigma Scan on Upload — Optionally run Sigma rule scanning automatically during EVTX file upload
• Sigma Rescan API — Re-scan previously uploaded EVTX files with a specific Sigma rule folder via REST API
• Sigma Results View — Dedicated UI page displaying Sigma detection results in an interactive table

LogonTracer uses PageRank, Hidden Markov Model, and ChangeFinder to detect malicious hosts and accounts from event logs.

With LogonTracer, it is also possible to display event logs in chronological order.

• Python 3.9 or later (3.12 recommended)

• Neo4j 5.x (Community or Enterprise)

• OpenAI API key (optional — required only for AI analysis features)

• Python modules

numpy
evtx
lxml
scipy
changefinder
flask
hmmlearn>=0.2.8
scikit-learn
elasticsearch-dsl>=7.0.0,<8.0.0
pyyaml
flask-sqlalchemy
flask-login
flask_wtf
flask-limiter
wtforms
GitPython
pysigma>=0.11.0
pysigma-backend-sqlite
openai>=1.0.0
aiohttp
neo4j

git clone https://github.com/JPCERTCC/LogonTracer.git
cd LogonTracer

pip3 install -r requirements.txt

Download and start Neo4j. Set the initial password and note the Bolt port (default: 7687).

vi config/config.yml

Key settings:

settings:
  logontracer:
    WEB_PORT: "8080"
    default_user: "neo4j"       # Neo4j username for the default LogonTracer account
    default_password: "password" # Change this before first run

  neo4j:
    NEO4J_USER: "neo4j"
    NEO4J_PASSWORD: "password"   # Your Neo4j password
    NEO4J_SERVER: "localhost"
    WS_PORT: "7687"

python3 logontracer.py --run

Open your browser at http://localhost:8080.

python3 logontracer.py -e <path/to/Security.evtx> -z <UTC offset> -s <Neo4j server> -u <user> -p <password>

python3 logontracer.py -x <path/to/event.xml> -z <UTC offset> -s <Neo4j server> -u <user> -p <password>

python3 logontracer.py --es -s <Neo4j server> -u <user> -p <password> --es-server <ES host:port>

Add the --sigma flag to run Sigma rule detection during import:

python3 logontracer.py -e <path/to/Security.evtx> -z 9 -s localhost -u neo4j -p password --sigma

python3 logontracer.py -e <path/to/Security.evtx> -z 9 -s localhost -u neo4j -p password --add

After starting the web application, click Upload Event Log in the left sidebar. You can:

• Select one or more EVTX or XML files
• Choose the UTC offset for the log timezone
• Enable Add additional files to append data without clearing the database
• Enable Run scan using Sigma rules to run Sigma detection automatically after import

After uploading with Sigma scanning enabled, or after triggering a rescan via the API, click Sigma Scan Results in the sidebar to view findings.

1. Go to Settings → AI Settings in the navigation bar
2. Enable AI analysis and enter your OpenAI API key
3. Select the GPT model and preferred response language

• Click AI Analysis in the top navigation to run the autonomous LLM agent
• The agent iteratively generates Cypher queries, executes them against the Neo4j database, and reports discovered threats
• Click AI History to view the last analysis result
• From the AI analysis result panel, click Generate Sigma Rules to convert findings into Sigma detection rules

With Neo4j Enterprise Edition, LogonTracer supports multiple independent investigation cases — each stored in a separate Neo4j database.

• Add New Case — Create a new database for a new investigation
• Delete Case — Remove a case database
• Add/Delete Access to Case — Grant or revoke per-user access to specific cases
• Change Case — Switch the active case in the current session

docker run \
  --detach \
  --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 \
  -e LTHOSTNAME=<IP Address> \
  jpcertcc/docker-logontracer

cd docker-compose
docker compose build
docker compose up -d

cd docker-compose-with-nginx
docker compose build
docker compose up -d

cd docker-compose-with-elasticstack
docker compose build
docker compose up -d

The following YouTube video shows how to use LogonTracer.

For more details, please check the LogonTracer wiki.

LICENSE.txt