Question 1

How to install LogonTracer with Docker?

Accepted Answer

LogonTracer offers a Docker image for streamlined deployment. Pull the 'jpcertcc/docker-logontracer' image from Docker Hub, mount volumes for log files and Neo4j data, and follow the wiki for configuration details to get started quickly.

Question 2

LogonTracer vs Splunk for Windows log analysis?

Accepted Answer

LogonTracer excels at visualizing authentication relationships and using algorithms for anomaly detection in AD logs, while Splunk is a general-purpose SIEM with broader log support and real-time capabilities. LogonTracer is best for focused investigations, whereas Splunk suits comprehensive monitoring.

Question 3

How does LogonTracer detect golden ticket attacks?

Accepted Answer

By analyzing Kerberos event IDs 4768 and 4769, LogonTracer visualizes TGT and ST request patterns. Anomalies in ticket granting or usage, flagged by algorithms like ChangeFinder, can indicate golden ticket attacks in the graph representation.

Question 4

Can LogonTracer analyze logs in real-time?

Accepted Answer

No, LogonTracer is designed for batch analysis of historical event logs. For real-time analysis, you would need to periodically import new logs or integrate it with a log collection pipeline, as it doesn't support streaming natively.

Question 5

What are the Neo4j requirements for LogonTracer?

Accepted Answer

LogonTracer requires a Neo4j instance, which can be installed locally or on a server. The wiki recommends specific versions and configurations, and sufficient RAM and storage are needed based on log volume for optimal performance.

Question 6

How to interpret the PageRank results in LogonTracer?

Accepted Answer

PageRank scores in LogonTracer indicate the importance of nodes in the logon graph. Hosts or accounts with high scores from unusual authentication patterns, such as many failed logins or privileged access, are flagged as potentially malicious for further investigation.

Question 7

Is LogonTracer good for small AD environments?

Accepted Answer

LogonTracer's advanced features and Neo4j dependency may be overkill for small environments with minimal log data. Simpler tools like native Windows Event Viewer or lightweight SIEMs might be more cost-effective and easier to manage.

LogonTracer

What is LogonTracer?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions