LogonTracer v1.4 Released
JPCERT/CC released a new version of LogonTracer, a tool to support event log analysis.
This article introduces some of the new features of the tool.
Dark mode has been added to LogonTracer in this update, which appears on the menu bar. Figure 1 shows the LogonTracer screen when the dark mode is on.
Please note that each colour represents the following item under the dark mode:
- Red: Admin account
- Blue: Normal user account
- Green: Host/IP address
Add event logs
In order to add event logs to analyse, previously users needed to upload new logs together with the old logs that had been already uploaded. To save time, a new function to allow adding log files has been implemented in this release.
Figure 2 shows the screen to upload additional event logs.
By enabling “Add additional EVTX or XML files”, new event logs can be uploaded. You can also do this on the command line by using the “--add” option.
In the next release, we are going to add a function to import logs from Elasticsearch to enable real-time analysis. We will continue updating the tool and appreciate feedback and Pull Requests from users.
(Translated by Yukako Uchida)