├── .github └── workflows │ ├── codeql-analysis.yml │ ├── logontracer-daily-test.yml │ ├── logontracer-test.yml │ └── publish-docker-image.yml ├── .gitignore ├── LICENSE.txt ├── README.md ├── config ├── config.yml └── logging.yml ├── docker-compose-with-elasticstack ├── LogonTracer │ └── build │ │ └── Dockerfile ├── README.md ├── compose.yml ├── elasticsearch │ ├── config │ │ └── elasticsearch.yml │ └── data │ │ └── .gitkeep ├── kibana │ └── config │ │ └── kibana.yml └── neo4j │ ├── conf │ └── .gitkeep │ ├── data │ └── .gitkeep │ └── logs │ └── .gitkeep ├── docker-compose-with-nginx ├── LogonTracer │ └── build │ │ └── Dockerfile ├── README.md ├── compose.yml ├── neo4j │ ├── certificates │ │ └── bolt │ │ │ ├── revoked │ │ │ └── .gitkeep │ │ │ └── trusted │ │ │ └── .gitkeep │ ├── conf │ │ └── .gitkeep │ ├── data │ │ └── .gitkeep │ └── logs │ │ └── .gitkeep └── nginx │ └── default.conf ├── docker-compose ├── LogonTracer │ └── build │ │ └── Dockerfile ├── README.md ├── compose.yml └── neo4j │ ├── conf │ └── .gitkeep │ ├── data │ └── .gitkeep │ └── logs │ └── .gitkeep ├── docker ├── Dockerfile └── README.md ├── es-index ├── logontracer-host-index.json └── logontracer-user-index.json ├── images ├── add-new-case-bar.png ├── add-new-case.png ├── case-manage.png ├── casemng.png ├── delcase.png ├── delcasemng.png ├── diff_panel.png ├── filter_panel.png ├── gpedit1.png ├── gpedit2.png ├── kibana.png ├── load-from-es.png ├── login.png ├── logo.svg ├── logo_top.svg ├── logontracer-w-es.png ├── nav_bar.png ├── node_blue.png ├── node_green.png ├── node_red.png ├── rank.png ├── sample.png ├── sample_dark.png ├── side_bar.png ├── signup.png ├── timeline.png ├── timeline_graph.png ├── upload.gif ├── upload.png └── user-manage.png ├── logontracer.py ├── logs └── .gitkeep ├── model └── hmm.pkl ├── requirements.txt ├── sample ├── README.md ├── Security.evtx ├── data.tar.gz └── graph.db.tar.gz ├── static ├── css │ ├── dark-mode.css │ └── style.css ├── images │ ├── elastic-logo.png │ ├── logo_timeline.svg │ └── logo_top.svg └── js │ ├── dark-mode-switch.min.js │ └── script.js └── templates ├── addcase.html ├── casemng.html ├── changecase.html ├── delcase.html ├── delcasemng.html ├── index.html ├── login.html ├── setting.html ├── signup.html ├── timeline.html └── usermng.html /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | # For most projects, this workflow file will not need changing; you simply need 2 | # to commit it to your repository. 3 | # 4 | # You may wish to alter this file to override the set of languages analyzed, 5 | # or to provide custom queries or build logic. 6 | # 7 | # ******** NOTE ******** 8 | # We have attempted to detect the languages in your repository. Please check 9 | # the `language` matrix defined below to confirm you have the correct set of 10 | # supported CodeQL languages. 11 | # 12 | name: "CodeQL" 13 | 14 | on: 15 | push: 16 | branches: [ master ] 17 | pull_request: 18 | # The branches below must be a subset of the branches above 19 | branches: [ master ] 20 | schedule: 21 | - cron: '21 5 * * 3' 22 | 23 | jobs: 24 | analyze: 25 | name: Analyze 26 | runs-on: ubuntu-latest 27 | permissions: 28 | actions: read 29 | contents: read 30 | security-events: write 31 | 32 | strategy: 33 | fail-fast: false 34 | matrix: 35 | language: [ 'javascript', 'python' ] 36 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] 37 | # Learn more: 38 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed 39 | 40 | steps: 41 | - name: Checkout repository 42 | uses: actions/checkout@v3 43 | 44 | # Initializes the CodeQL tools for scanning. 45 | - name: Initialize CodeQL 46 | uses: github/codeql-action/init@v1 47 | with: 48 | languages: ${{ matrix.language }} 49 | # If you wish to specify custom queries, you can do so here or in a config file. 50 | # By default, queries listed here will override any specified in a config file. 51 | # Prefix the list here with "+" to use these queries and those in the config file. 52 | # queries: ./path/to/local/query, your-org/your-repo/queries@main 53 | 54 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 55 | # If this step fails, then you should remove it and run the build manually (see below) 56 | - name: Autobuild 57 | uses: github/codeql-action/autobuild@v1 58 | 59 | # ℹ️ Command-line programs to run using the OS shell. 60 | # 📚 https://git.io/JvXDl 61 | 62 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 63 | # and modify them (or add more) to build your code if your project 64 | # uses a compiled language 65 | 66 | #- run: | 67 | # make bootstrap 68 | # make release 69 | 70 | - name: Perform CodeQL Analysis 71 | uses: github/codeql-action/analyze@v1 72 | -------------------------------------------------------------------------------- /.github/workflows/logontracer-daily-test.yml: -------------------------------------------------------------------------------- 1 | name: daily-test 2 | 3 | on: 4 | schedule: 5 | - cron: '0 10 * * *' 6 | 7 | jobs: 8 | 9 | test: 10 | 11 | runs-on: ubuntu-latest 12 | strategy: 13 | matrix: 14 | python-version: ['3.9', '3.12'] 15 | 16 | steps: 17 | - name: Checkout code 18 | uses: actions/checkout@v4 19 | - name: Build the LogonTracer Docker Image and start 20 | run: | 21 | docker image build ./docker -t jpcertcc/docker-logontracer:latest 22 | docker container run --detach --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 -e LTHOSTNAME=localhost jpcertcc/docker-logontracer 23 | - name: Set up Python ${{ matrix.python-version }} 24 | uses: actions/setup-python@v5 25 | with: 26 | python-version: ${{ matrix.python-version }} 27 | - name: Install dependencies 28 | run: | 29 | python -m pip install --upgrade pip 30 | pip install cython 31 | pip install numpy 32 | pip install scipy 33 | pip install statsmodels 34 | pip install -r requirements.txt 35 | - name: List installed Python packages 36 | run: pip list 37 | - name: Test for LogonTracer web gui 38 | run: curl --verbose --show-error http://localhost:8080 39 | - name: Test for LogonTracer log import 40 | run: python logontracer.py -e sample/Security.evtx 41 | -------------------------------------------------------------------------------- /.github/workflows/logontracer-test.yml: -------------------------------------------------------------------------------- 1 | name: test 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | 7 | jobs: 8 | 9 | test: 10 | 11 | runs-on: ubuntu-latest 12 | strategy: 13 | matrix: 14 | python-version: ['3.9', '3.10', '3.11', '3.12'] 15 | 16 | steps: 17 | - name: Checkout code 18 | uses: actions/checkout@v4 19 | - name: Build the LogonTracer Docker Image and start 20 | run: | 21 | docker image build ./docker -t jpcertcc/docker-logontracer:latest 22 | docker container run --detach --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 -e LTHOSTNAME=localhost jpcertcc/docker-logontracer 23 | - name: Set up Python ${{ matrix.python-version }} 24 | uses: actions/setup-python@v5 25 | with: 26 | python-version: ${{ matrix.python-version }} 27 | - name: Install dependencies 28 | run: | 29 | python -m pip install --upgrade pip 30 | pip install cython 31 | pip install numpy 32 | pip install scipy 33 | pip install statsmodels 34 | pip install -r requirements.txt 35 | - name: Test for LogonTracer web gui 36 | run: curl --verbose --show-error http://localhost:8080 37 | - name: Test for LogonTracer log import 38 | run: python logontracer.py -e sample/Security.evtx 39 | -------------------------------------------------------------------------------- /.github/workflows/publish-docker-image.yml: -------------------------------------------------------------------------------- 1 | name: Publish docker image 2 | 3 | on: 4 | release: 5 | types: [published] 6 | 7 | jobs: 8 | 9 | test: 10 | 11 | runs-on: ubuntu-latest 12 | strategy: 13 | matrix: 14 | python-version: ['3.9', '3.10', '3.11', '3.12'] 15 | 16 | steps: 17 | - name: Checkout code 18 | uses: actions/checkout@v4 19 | - name: Build the LogonTracer Docker Image and start 20 | run: | 21 | docker image build ./docker -t jpcertcc/docker-logontracer:latest -t ghcr.io/jpcertcc/docker-logontracer:latest 22 | docker container run --detach --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 -e LTHOSTNAME=localhost jpcertcc/docker-logontracer 23 | - name: Set up Python ${{ matrix.python-version }} 24 | uses: actions/setup-python@v5 25 | with: 26 | python-version: ${{ matrix.python-version }} 27 | - name: Install dependencies 28 | run: | 29 | python -m pip install --upgrade pip 30 | pip install cython 31 | pip install numpy 32 | pip install scipy 33 | pip install statsmodels 34 | pip install -r requirements.txt 35 | - name: Test for LogonTracer web gui 36 | run: curl --verbose --show-error http://localhost:8080 37 | - name: Test for LogonTracer log import 38 | run: python logontracer.py -e sample/Security.evtx 39 | 40 | publish: 41 | 42 | runs-on: ubuntu-latest 43 | needs: test 44 | 45 | steps: 46 | - name: Checkout code 47 | uses: actions/checkout@v4 48 | - name: Register Docker Hub 49 | uses: docker/build-push-action@v5 50 | with: 51 | username: ${{ secrets.DOCKER_USERNAME }} 52 | password: ${{ secrets.DOCKER_PASSWORD }} 53 | repository: jpcertcc/docker-logontracer 54 | dockerfile: docker/Dockerfile 55 | tags: latest 56 | - name: Login to GitHub Container Registry 57 | uses: docker/login-action@v3 58 | with: 59 | registry: ghcr.io 60 | username: ${{ github.actor }} 61 | password: ${{ secrets.GITHUB_TOKEN }} 62 | - name: Register GitHub Container Registry 63 | run: docker push ghcr.io/jpcertcc/docker-logontracer:latest 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | *~ 3 | *.bak 4 | cache 5 | upload 6 | *.log 7 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | The 3-Clause BSD License 2 | 3 | SPDX short identifier: BSD-3-Clause 4 | Note: This license has also been called the "New BSD License" or "Modified BSD License". See also the 2-clause BSD License. 5 | 6 | --- 7 | 8 | Copyright 2023 JPCERT Coordination Center 9 | 10 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 11 | 12 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 13 | 14 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 15 | 16 | 3. Neither JPCERT Coordination Center nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 | 20 | IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 | 3 | [![Arsenal](https://rawgit.com/toolswatch/badges/master/arsenal/usa/2018.svg)](https://www.toolswatch.org/2018/05/black-hat-arsenal-usa-2018-the-w0w-lineup/) [![Version](https://img.shields.io/github/v/release/JPCERTCC/LogonTracer)](https://github.com/JPCERTCC/LogonTracer/releases) [![Docker pull](https://img.shields.io/docker/pulls/jpcertcc/docker-logontracer)](https://hub.docker.com/r/jpcertcc/docker-logontracer/) [![test](https://github.com/JPCERTCC/LogonTracer/actions/workflows/logontracer-test.yml/badge.svg)](https://github.com/JPCERTCC/LogonTracer/actions/workflows/logontracer-test.yml) 4 | 5 | ## Concept 6 | **LogonTracer** is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used. 7 | This tool can visualize the following event id related to Windows logon based on [this research](https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf). 8 | * **4624**: Successful logon 9 | * **4625**: Logon failure 10 | * **4768**: Kerberos Authentication (TGT Request) 11 | * **4769**: Kerberos Service Ticket (ST Request) 12 | * **4776**: NTLM Authentication 13 | * **4672**: Assign special privileges 14 | 15 | More details are described in the following documents: 16 | * [Visualise Event Logs to Identify Compromised Accounts - LogonTracer -](https://blogs.jpcert.or.jp/en/2017/11/visualise-event-logs-to-identify-compromised-accounts---logontracer-.html) 17 | * [イベントログを可視化して不正使用されたアカウントを調査](https://blogs.jpcert.or.jp/ja/2017/11/logontracer.html) (Japanese) 18 | 19 | ![LogonTracer sample](images/sample.png) 20 | 21 | ## Additional Analysis 22 | LogonTracer uses [PageRank](https://en.wikipedia.org/wiki/PageRank), [Hidden Markov model](https://en.wikipedia.org/wiki/Hidden_Markov_model) and [ChangeFinder](https://pdfs.semanticscholar.org/c5bc/7ca31914d3cdfe1b2932cbc779875e645bbb.pdf) to detect malicious hosts and accounts from event log. 23 | ![PageRank List](images/rank.png) 24 | With LogonTracer, it is also possible to display event logs in a chronological order. 25 | ![Timeline](images/timeline.png) 26 | ## Use LogonTracer 27 | To use LogonTracer, you can: 28 | * [Install](https://github.com/JPCERTCC/LogonTracer/wiki/how-to-install) 29 | * [Use docker](https://github.com/JPCERTCC/LogonTracer/wiki/jump-start-with-docker) 30 | 31 | ## Documentation 32 | If you want to know more details, please check [the LogonTracer wiki](https://github.com/JPCERTCC/LogonTracer/wiki). 33 | 34 | ## Demonstration 35 | Following [YouTube's video](https://www.youtube.com/watch?v=aX-vTd7-moY) shows how to use LogonTracer. 36 | 37 | [![LogonTracer_Demonstration](https://img.youtube.com/vi/aX-vTd7-moY/0.jpg)](https://www.youtube.com/watch?v=aX-vTd7-moY) 38 | 39 | ## Architecture 40 | LogonTracer is written in Python and uses Neo4j for database. The following tools are used. 41 | 42 | * Python 3 43 | * [Neo4j](https://neo4j.com) for a graph database. 44 | * [Neo4j JavaScript driver](https://github.com/neo4j/neo4j-javascript-driver) for connects to Neo4j using the binary protocol. 45 | * [Cytoscape](http://www.cytoscape.org/) for visualizing a graph network. 46 | * [Flask](http://flask.pocoo.org/) is a microframework for Python. 47 | -------------------------------------------------------------------------------- /config/config.yml: -------------------------------------------------------------------------------- 1 | settings: 2 | logontracer: 3 | WEB_PORT: "8080" # Web application port 4 | WEB_HOST: "0.0.0.0" # Web application address 5 | database_name: "data.db" # LogonTracer user info database 6 | default_user: "neo4j" # LogonTracer default login name 7 | default_password: "password" # LogonTracer default login password 8 | default_case: "neo4j" # Default neo4j database name 9 | SESSION_COOKIE_SECURE: False # When using HTTPS, it is necessary to relay a web server such as nginx. 10 | 11 | neo4j: 12 | NEO4J_USER: "neo4j" # neo4j user name 13 | NEO4J_PASSWORD: "password" # neo4j password 14 | NEO4J_SERVER: "localhost" # neo4j server 15 | NEO4J_PORT: "7474" # neo4j listen port 16 | WS_PORT: "7687" # Websocket port 17 | 18 | elastic: 19 | ES_SERVER: "localhost:9200" # Elastic Search server 20 | ES_INDEX: "winlogbeat-*" # Elastic index 21 | ES_PREFIX: "winlog" # Elastic prefix 22 | ES_USER: "elastic" # Elastic auth user 23 | 24 | sigma: 25 | git_url: "https://github.com/SigmaHQ/sigma.git" # Sigma rules url 26 | results: "sigma_results.csv" # Sigma scan result file -------------------------------------------------------------------------------- /config/logging.yml: -------------------------------------------------------------------------------- 1 | version: 1 2 | formatters: 3 | file: 4 | format: "[%(asctime)s] [%(levelname)s] : %(message)s" 5 | 6 | handlers: 7 | file: 8 | class: logging.handlers.TimedRotatingFileHandler 9 | formatter: file 10 | filename: logs/application.log 11 | backupCount: 8 12 | when: D 13 | interval: 1 14 | encoding: 'utf-8' 15 | logontracer_handler: 16 | class: logging.handlers.TimedRotatingFileHandler 17 | formatter: file 18 | filename: static/logontracer.log 19 | backupCount: 8 20 | when: D 21 | interval: 1 22 | encoding: 'utf-8' 23 | console: 24 | class: logging.StreamHandler 25 | stream: ext://sys.stdout 26 | 27 | loggers: 28 | agent_logger: 29 | level: INFO 30 | handlers: [console] 31 | propagate: no 32 | 33 | root: 34 | level: WARN 35 | handlers: [file] 36 | -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/LogonTracer/build/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.12.0-slim 2 | 3 | RUN set -ex \ 4 | \ 5 | && savedAptMark="$(apt-mark showmanual)" \ 6 | && apt-get update \ 7 | && apt-get install -y --no-install-recommends git \ 8 | dpkg-dev \ 9 | gcc \ 10 | g++ \ 11 | libssl-dev \ 12 | make 13 | 14 | ## LogonTracer install 15 | WORKDIR /usr/local/src 16 | 17 | RUN git clone https://github.com/JPCERTCC/LogonTracer.git \ 18 | && chmod 777 LogonTracer \ 19 | && chmod 777 LogonTracer/static \ 20 | && cd LogonTracer \ 21 | && pip install cython \ 22 | && pip install numpy \ 23 | && pip install scipy \ 24 | && pip install statsmodels \ 25 | && pip install -r requirements.txt \ 26 | && sed -i 's/\" -s \" + NEO4J_SERVER/\" -s neo4j\"/g' logontracer.py \ 27 | && sed -i 's/+ NEO4J_SERVER +/+ \"neo4j\" +/g' logontracer.py \ 28 | && sed -i 's/host=NEO4J_SERVER/host=\"neo4j\"/g' logontracer.py 29 | 30 | ## Create setup file 31 | WORKDIR /usr/local/src 32 | 33 | RUN echo "#!/bin/bash" > run.sh \ 34 | && echo "sleep 60" >> run.sh \ 35 | && echo "cd /usr/local/src/LogonTracer" >> run.sh \ 36 | && echo "python logontracer.py -r -o 8080 -u neo4j -p password -s \${LTHOSTNAME}" >> run.sh \ 37 | && chmod 755 run.sh 38 | 39 | EXPOSE 8080 40 | 41 | CMD ["/usr/local/src/run.sh"] 42 | -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/README.md: -------------------------------------------------------------------------------- 1 | # Docker Compose for LogonTracer 2 | 3 | Please check the wiki for more details. 4 | https://github.com/JPCERTCC/LogonTracer/wiki/setup-with-docker-compose 5 | 6 | ## Usage 7 | ```shell 8 | $ docker-compose build 9 | $ docker-compose up -d 10 | ``` 11 | -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | neo4j: 3 | container_name: neo4j 4 | image: neo4j:4.4.27 5 | # Using volumes slows down the container. 6 | #volumes: 7 | # - ./neo4j/data:/data 8 | # - ./neo4j/logs:/logs 9 | # - ./neo4j/conf:/conf 10 | # Set when sync container and local time 11 | # - /etc/localtime:/etc/localtime:ro 12 | ports: 13 | - "7474:7474" 14 | - "7687:7687" 15 | environment: 16 | - NEO4J_dbms_default__database=neo4j 17 | - NEO4J_dbms_connector_bolt_listen__address=0.0.0.0:7687 18 | - NEO4J_dbms_connector_http_listen__address=0.0.0.0:7474 19 | # Performance tuning for JVM neo4j 20 | # See more details: https://neo4j.com/developer/guide-performance-tuning/ 21 | # - NEO4J_dbms_memory_heap_max__size=4G 22 | # - NEO4J_dbms_memory_heap_initial__size=2G 23 | # - NEO4j_dbms_memory_pagecache_size=20G 24 | # set default neo4j password 25 | - NEO4J_AUTH=neo4j/password 26 | networks: 27 | - neo4j-network 28 | 29 | logontracer: 30 | container_name: logontracer 31 | build: ./LogonTracer/build 32 | image: logontracer:latest 33 | depends_on: 34 | - neo4j 35 | #volumes: 36 | # Set when sync container and local time 37 | # - /etc/localtime:/etc/localtime:ro 38 | ports: 39 | - "8080:8080" 40 | environment: 41 | - LTHOSTNAME=localhost 42 | networks: 43 | - neo4j-network 44 | 45 | elasticsearch: 46 | container_name: elasticsearch 47 | image: docker.elastic.co/elasticsearch/elasticsearch:7.9.0 48 | volumes: 49 | - ./elasticsearch/data:/usr/share/elasticsearch/data 50 | - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml 51 | environment: 52 | - bootstrap.memory_lock=true 53 | - "ES_JAVA_OPTS=-Xms512m -Xmx512m" 54 | ports: 55 | - 9200:9200 56 | expose: 57 | - 9300 58 | ulimits: 59 | memlock: 60 | soft: -1 61 | hard: -1 62 | nofile: 63 | soft: 65536 64 | hard: 65536 65 | networks: 66 | - neo4j-network 67 | 68 | kibana: 69 | container_name: kibana 70 | image: docker.elastic.co/kibana/kibana:7.9.0 71 | volumes: 72 | - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml 73 | ports: 74 | - 5601:5601 75 | networks: 76 | - neo4j-network 77 | 78 | networks: 79 | neo4j-network: 80 | external: true 81 | -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/elasticsearch/config/elasticsearch.yml: -------------------------------------------------------------------------------- 1 | node.name: node-1 2 | network.host: 0.0.0.0 3 | http.port: 9200 4 | cluster.initial_master_nodes: ["node-1"] 5 | xpack.ml.enabled: false 6 | xpack.security.enabled: false 7 | xpack.security.transport.ssl.enabled: true 8 | xpack.security.audit.enabled: true 9 | -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/elasticsearch/data/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-elasticstack/elasticsearch/data/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/kibana/config/kibana.yml: -------------------------------------------------------------------------------- 1 | server.port: 5601 2 | server.host: "0.0.0.0" 3 | elasticsearch.hosts: ["http://elasticsearch:9200"] 4 | elasticsearch.username: elastic 5 | elasticsearch.password: password 6 | -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/neo4j/conf/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-elasticstack/neo4j/conf/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/neo4j/data/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-elasticstack/neo4j/data/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-elasticstack/neo4j/logs/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-elasticstack/neo4j/logs/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-nginx/LogonTracer/build/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.12.0-slim 2 | 3 | RUN set -ex \ 4 | \ 5 | && savedAptMark="$(apt-mark showmanual)" \ 6 | && apt-get update \ 7 | && apt-get install -y --no-install-recommends git \ 8 | dpkg-dev \ 9 | gcc \ 10 | g++ \ 11 | libssl-dev \ 12 | make 13 | 14 | ## LogonTracer install 15 | WORKDIR /usr/local/src 16 | 17 | RUN git clone https://github.com/JPCERTCC/LogonTracer.git \ 18 | && mv LogonTracer-Private LogonTracer \ 19 | && chmod 777 LogonTracer \ 20 | && chmod 777 LogonTracer/static \ 21 | && cd LogonTracer \ 22 | && pip install cython \ 23 | && pip install numpy \ 24 | && pip install scipy \ 25 | && pip install statsmodels \ 26 | && pip install -r requirements.txt \ 27 | && sed -i 's/\" -s \" + NEO4J_SERVER/\" -s neo4j\"/g' logontracer.py \ 28 | && sed -i 's/+ NEO4J_SERVER +/+ \"neo4j\" +/g' logontracer.py \ 29 | && sed -i 's/host=NEO4J_SERVER/host=\"neo4j\"/g' logontracer.py 30 | 31 | ## Create setup file 32 | WORKDIR /usr/local/src 33 | 34 | RUN echo "#!/bin/bash" > run.sh \ 35 | && echo "sleep 60" >> run.sh \ 36 | && echo "cd /usr/local/src/LogonTracer" >> run.sh \ 37 | && echo "python logontracer.py -r -o 8080 -u neo4j -p password -s \${LTHOSTNAME}" >> run.sh \ 38 | && chmod 755 run.sh 39 | 40 | EXPOSE 8080 41 | 42 | CMD ["/usr/local/src/run.sh"] 43 | -------------------------------------------------------------------------------- /docker-compose-with-nginx/README.md: -------------------------------------------------------------------------------- 1 | # LogonTracer with SSL 2 | 3 | Enable SSL communication with LogonTracer and nginx. 4 | 5 | Please check the wiki for more details. 6 | https://github.com/JPCERTCC/LogonTracer/wiki/setup-LogonTracer-with-SSL 7 | 8 | ## Usage 9 | ### Download LogonTracer 10 | 11 | ```shell 12 | $ git clone https://github.com/JPCERTCC/LogonTracer.git 13 | ``` 14 | 15 | ### Get Your SSL Certificate 16 | 17 | The following describes how to create a self-signed SSL certificate. If you can buy an SSL certificate, consider other options. 18 | 19 | #### Command for creating a self-signed SSL certificate 20 | 21 | ```shell 22 | $ openssl req -new -days 365 -x509 -nodes -keyout server.key -out server.crt 23 | ``` 24 | 25 | ### Set Your SSL Certificate 26 | 27 | ```shell 28 | $ cp server.key LogonTracer/docker-compose-with-nginx/nginx/ 29 | $ cp server.crt LogonTracer/docker-compose-with-nginx/nginx/ 30 | $ cp server.key LogonTracer/docker-compose-with-nginx/neo4j/certificates/bolt/ 31 | $ cp server.crt LogonTracer/docker-compose-with-nginx/neo4j/certificates/bolt/ 32 | ``` 33 | 34 | ### Docker Build and Start 35 | 36 | ```shell 37 | $ cd LogonTracer/docker-compose-with-nginx/ 38 | $ docker-compose build 39 | $ docker-compose up -d 40 | ``` 41 | 42 | ### Accessing the Web GUI 43 | 44 | Access **https://[LogonTracer_Server]/** via Web browser. Please make sure to enable JavaScript on your browser. 45 | 46 | #### Note 47 | 48 | If you are using a self-signed SSL certificate, it will be rejected by your web browser. Please set your web browser to allow SSL certificates as HTTPS. 49 | 50 | * Import self-signed SSL certificate for Web browser. 51 | 52 | `or` 53 | 54 | * Allow SSL certificate from web browser warning messages. 55 | 56 | 1. Access to **https://[LogonTracer_Server]/** and allow the SSL certificate. 57 | 58 | 2. Access to **https://[LogonTracer_Server]:7678/** and allow the SSL certificate. 59 | -------------------------------------------------------------------------------- /docker-compose-with-nginx/compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | neo4j: 3 | container_name: neo4j 4 | # image: neo4j:4.4.14-enterprise 5 | image: neo4j:4.4.27 6 | volumes: 7 | - ./neo4j/certificates:/var/lib/neo4j/certificates 8 | # Using volumes slows down the container. 9 | # - ./neo4j/data:/data 10 | # - ./neo4j/logs:/logs 11 | # - ./neo4j/conf:/conf 12 | # Set when sync container and local time 13 | # - /etc/localtime:/etc/localtime:ro 14 | ports: 15 | # - "7474:7474" 16 | - "7687:7687" 17 | environment: 18 | - NEO4J_dbms_default__database=neo4j 19 | - NEO4J_dbms_connector_bolt_listen__address=0.0.0.0:7687 20 | - NEO4J_dbms_connector_http_listen__address=0.0.0.0:7474 21 | - NEO4J_dbms_ssl_policy_bolt_enabled=true 22 | - NEO4J_dbms_connector_bolt_tls__level=OPTIONAL 23 | - NEO4J_dbms_ssl_policy_bolt_base__directory=/var/lib/neo4j/certificates/bolt 24 | - NEO4J_dbms_ssl_policy_bolt_private__key=server.key 25 | - NEO4J_dbms_ssl_policy_bolt_public__certificate=server.crt 26 | # Performance tuning for JVM neo4j 27 | # See more details: https://neo4j.com/developer/guide-performance-tuning/ 28 | # - NEO4J_dbms_memory_heap_max__size=4G 29 | # - NEO4J_dbms_memory_heap_initial__size=2G 30 | # - NEO4j_dbms_memory_pagecache_size=20G 31 | # set default neo4j password 32 | - NEO4J_AUTH=neo4j/password 33 | # if you use neo4j enterprise 34 | # - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes 35 | networks: 36 | - neo4j-network 37 | 38 | logontracer: 39 | container_name: logontracer 40 | build: ./LogonTracer/build 41 | image: logontracer:latest 42 | depends_on: 43 | - neo4j 44 | #volumes: 45 | # Set when sync container and local time 46 | # - /etc/localtime:/etc/localtime:ro 47 | # ports: 48 | # - "8080:8080" 49 | environment: 50 | - LTHOSTNAME=localhost 51 | networks: 52 | - neo4j-network 53 | 54 | nginx: 55 | container_name: nginx 56 | image: nginx:latest 57 | depends_on: 58 | - neo4j 59 | - logontracer 60 | ports: 61 | - "443:443" 62 | - "80:80" 63 | volumes: 64 | - ./nginx/default.conf:/etc/nginx/conf.d/default.conf 65 | - ./nginx/server.crt:/usr/local/nginx/conf/server.crt 66 | - ./nginx/server.key:/usr/local/nginx/conf/server.key 67 | networks: 68 | - neo4j-network 69 | 70 | networks: 71 | neo4j-network: 72 | external: true 73 | -------------------------------------------------------------------------------- /docker-compose-with-nginx/neo4j/certificates/bolt/revoked/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-nginx/neo4j/certificates/bolt/revoked/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-nginx/neo4j/certificates/bolt/trusted/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-nginx/neo4j/certificates/bolt/trusted/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-nginx/neo4j/conf/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-nginx/neo4j/conf/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-nginx/neo4j/data/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-nginx/neo4j/data/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-nginx/neo4j/logs/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose-with-nginx/neo4j/logs/.gitkeep -------------------------------------------------------------------------------- /docker-compose-with-nginx/nginx/default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 ssl; 3 | 4 | client_max_body_size 20G; 5 | 6 | #ssl on; 7 | ssl_certificate /usr/local/nginx/conf/server.crt; 8 | ssl_certificate_key /usr/local/nginx/conf/server.key; 9 | 10 | ssl_session_timeout 5m; 11 | 12 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 13 | ssl_ciphers HIGH:!aNULL:!MD5; 14 | ssl_prefer_server_ciphers on; 15 | 16 | proxy_redirect off; 17 | proxy_set_header HOST $host; 18 | proxy_set_header X-Real-IP $remote_addr; 19 | proxy_set_header X-Forwarded-Host $host; 20 | proxy_set_header X-Forwarded-Server $host; 21 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 22 | 23 | location / { 24 | proxy_pass http://logontracer:8080/; 25 | } 26 | } 27 | 28 | server { 29 | listen 80; 30 | return 301 https://$host$request_uri; 31 | } 32 | -------------------------------------------------------------------------------- /docker-compose/LogonTracer/build/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.12.0-slim 2 | 3 | RUN set -ex \ 4 | \ 5 | && savedAptMark="$(apt-mark showmanual)" \ 6 | && apt-get update \ 7 | && apt-get install -y --no-install-recommends git \ 8 | dpkg-dev \ 9 | gcc \ 10 | g++ \ 11 | libssl-dev \ 12 | make \ 13 | curl \ 14 | build-essential 15 | 16 | ## LogonTracer install 17 | WORKDIR /usr/local/src 18 | 19 | RUN curl https://sh.rustup.rs -sSf | bash -s -- -y 20 | ENV PATH="/root/.cargo/bin:${PATH}" 21 | 22 | RUN git clone https://github.com/JPCERTCC/LogonTracer.git \ 23 | && chmod 777 LogonTracer \ 24 | && chmod 777 LogonTracer/static \ 25 | && cd LogonTracer \ 26 | && pip install cython \ 27 | && pip install numpy \ 28 | && pip install scipy \ 29 | && pip install statsmodels \ 30 | && pip install -r requirements.txt \ 31 | && sed -i 's/\" -s \" + NEO4J_SERVER/\" -s neo4j\"/g' logontracer.py \ 32 | && sed -i 's/+ NEO4J_SERVER +/+ \"neo4j\" +/g' logontracer.py \ 33 | && sed -i 's/host=NEO4J_SERVER/host=\"neo4j\"/g' logontracer.py 34 | 35 | ## Create setup file 36 | WORKDIR /usr/local/src 37 | 38 | RUN echo "#!/bin/bash" > run.sh \ 39 | && echo "sleep 60" >> run.sh \ 40 | && echo "cd /usr/local/src/LogonTracer" >> run.sh \ 41 | && echo "python logontracer.py -r -o 8080 -u neo4j -p password -s \${LTHOSTNAME}" >> run.sh \ 42 | && chmod 755 run.sh 43 | 44 | EXPOSE 8080 45 | 46 | CMD ["/usr/local/src/run.sh"] 47 | -------------------------------------------------------------------------------- /docker-compose/README.md: -------------------------------------------------------------------------------- 1 | # Docker Compose for LogonTracer 2 | 3 | Please check the wiki for more details. 4 | https://github.com/JPCERTCC/LogonTracer/wiki/setup-with-docker-compose 5 | 6 | ## Usage 7 | ```shell 8 | $ docker-compose build 9 | $ docker-compose up -d 10 | ``` 11 | -------------------------------------------------------------------------------- /docker-compose/compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | neo4j: 3 | container_name: neo4j 4 | image: neo4j:4.4.27 5 | # Using volumes slows down the container. 6 | #volumes: 7 | # - ./neo4j/data:/data 8 | # - ./neo4j/logs:/logs 9 | # - ./neo4j/conf:/conf 10 | # Set when sync container and local time 11 | # - /etc/localtime:/etc/localtime:ro 12 | ports: 13 | - "7474:7474" 14 | - "7687:7687" 15 | environment: 16 | - NEO4J_dbms_default__database=neo4j 17 | - NEO4J_dbms_connector_bolt_listen__address=0.0.0.0:7687 18 | - NEO4J_dbms_connector_http_listen__address=0.0.0.0:7474 19 | # Performance tuning for JVM neo4j 20 | # See more details: https://neo4j.com/developer/guide-performance-tuning/ 21 | # - NEO4J_dbms_memory_heap_max__size=4G 22 | # - NEO4J_dbms_memory_heap_initial__size=2G 23 | # - NEO4j_dbms_memory_pagecache_size=20G 24 | # set default neo4j password 25 | - NEO4J_AUTH=neo4j/password 26 | networks: 27 | - neo4j-network 28 | 29 | logontracer: 30 | container_name: logontracer 31 | build: ./LogonTracer/build 32 | image: logontracer:latest 33 | depends_on: 34 | - neo4j 35 | #volumes: 36 | # Set when sync container and local time 37 | # - /etc/localtime:/etc/localtime:ro 38 | ports: 39 | - "8080:8080" 40 | environment: 41 | - LTHOSTNAME=localhost 42 | networks: 43 | - neo4j-network 44 | 45 | networks: 46 | neo4j-network: 47 | external: true 48 | -------------------------------------------------------------------------------- /docker-compose/neo4j/conf/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose/neo4j/conf/.gitkeep -------------------------------------------------------------------------------- /docker-compose/neo4j/data/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose/neo4j/data/.gitkeep -------------------------------------------------------------------------------- /docker-compose/neo4j/logs/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/docker-compose/neo4j/logs/.gitkeep -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM neo4j:4.4.27 2 | 3 | # ensure local python is preferred over distribution python 4 | ENV PATH /usr/local/bin:$PATH 5 | 6 | # http://bugs.python.org/issue19846 7 | # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. 8 | ENV LANG C.UTF-8 9 | 10 | # runtime dependencies 11 | RUN apt-get update && apt-get install -y --no-install-recommends \ 12 | ca-certificates \ 13 | netbase \ 14 | && rm -rf /var/lib/apt/lists/* 15 | 16 | ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 17 | ENV PYTHON_VERSION 3.12.0 18 | 19 | RUN set -eux; \ 20 | \ 21 | savedAptMark="$(apt-mark showmanual)"; \ 22 | apt-get update; \ 23 | apt-get install -y --no-install-recommends \ 24 | dpkg-dev \ 25 | gcc \ 26 | gnupg \ 27 | libbluetooth-dev \ 28 | libbz2-dev \ 29 | libc6-dev \ 30 | libdb-dev \ 31 | libexpat1-dev \ 32 | libffi-dev \ 33 | libgdbm-dev \ 34 | liblzma-dev \ 35 | libncursesw5-dev \ 36 | libreadline-dev \ 37 | libsqlite3-dev \ 38 | libssl-dev \ 39 | make \ 40 | tk-dev \ 41 | uuid-dev \ 42 | wget \ 43 | xz-utils \ 44 | zlib1g-dev \ 45 | ; \ 46 | \ 47 | wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ 48 | wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ 49 | GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ 50 | gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ 51 | gpg --batch --verify python.tar.xz.asc python.tar.xz; \ 52 | gpgconf --kill all; \ 53 | rm -rf "$GNUPGHOME" python.tar.xz.asc; \ 54 | mkdir -p /usr/src/python; \ 55 | tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ 56 | rm python.tar.xz; \ 57 | \ 58 | cd /usr/src/python; \ 59 | gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ 60 | ./configure \ 61 | --build="$gnuArch" \ 62 | --enable-loadable-sqlite-extensions \ 63 | --enable-optimizations \ 64 | --enable-option-checking=fatal \ 65 | --enable-shared \ 66 | --with-lto \ 67 | --with-system-expat \ 68 | --without-ensurepip \ 69 | ; \ 70 | nproc="$(nproc)"; \ 71 | EXTRA_CFLAGS="$(dpkg-buildflags --get CFLAGS)"; \ 72 | LDFLAGS="$(dpkg-buildflags --get LDFLAGS)"; \ 73 | LDFLAGS="${LDFLAGS:--Wl},--strip-all"; \ 74 | make -j "$nproc" \ 75 | "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" \ 76 | "LDFLAGS=${LDFLAGS:-}" \ 77 | "PROFILE_TASK=${PROFILE_TASK:-}" \ 78 | ; \ 79 | # https://github.com/docker-library/python/issues/784 80 | # prevent accidental usage of a system installed libpython of the same version 81 | rm python; \ 82 | make -j "$nproc" \ 83 | "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" \ 84 | "LDFLAGS=${LDFLAGS:--Wl},-rpath='\$\$ORIGIN/../lib'" \ 85 | "PROFILE_TASK=${PROFILE_TASK:-}" \ 86 | python \ 87 | ; \ 88 | make install; \ 89 | \ 90 | cd /; \ 91 | rm -rf /usr/src/python; \ 92 | \ 93 | find /usr/local -depth \ 94 | \( \ 95 | \( -type d -a \( -name test -o -name tests -o -name idle_test \) \) \ 96 | -o \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \) \) \ 97 | \) -exec rm -rf '{}' + \ 98 | ; \ 99 | \ 100 | ldconfig; \ 101 | \ 102 | apt-mark auto '.*' > /dev/null; \ 103 | apt-mark manual $savedAptMark; \ 104 | find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \ 105 | | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \ 106 | | sort -u \ 107 | | xargs -r dpkg-query --search \ 108 | | cut -d: -f1 \ 109 | | sort -u \ 110 | | xargs -r apt-mark manual \ 111 | ; \ 112 | apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ 113 | rm -rf /var/lib/apt/lists/*; \ 114 | \ 115 | python3 --version 116 | 117 | # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends) 118 | RUN set -eux; \ 119 | for src in idle3 pydoc3 python3 python3-config; do \ 120 | dst="$(echo "$src" | tr -d 3)"; \ 121 | [ -s "/usr/local/bin/$src" ]; \ 122 | [ ! -e "/usr/local/bin/$dst" ]; \ 123 | ln -svT "$src" "/usr/local/bin/$dst"; \ 124 | done 125 | 126 | # if this is called "PIP_VERSION", pip explodes with "ValueError: invalid truth value ''" 127 | ENV PYTHON_PIP_VERSION 23.2.1 128 | # https://github.com/pypa/get-pip 129 | ENV PYTHON_GET_PIP_URL https://github.com/pypa/get-pip/raw/c6add47b0abf67511cdfb4734771cbab403af062/public/get-pip.py 130 | ENV PYTHON_GET_PIP_SHA256 22b849a10f86f5ddf7ce148ca2a31214504ee6c83ef626840fde6e5dcd809d11 131 | 132 | RUN set -eux; \ 133 | \ 134 | savedAptMark="$(apt-mark showmanual)"; \ 135 | apt-get update; \ 136 | apt-get install -y --no-install-recommends wget; \ 137 | \ 138 | wget -O get-pip.py "$PYTHON_GET_PIP_URL"; \ 139 | echo "$PYTHON_GET_PIP_SHA256 *get-pip.py" | sha256sum -c -; \ 140 | \ 141 | apt-mark auto '.*' > /dev/null; \ 142 | [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ 143 | apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ 144 | rm -rf /var/lib/apt/lists/*; \ 145 | \ 146 | export PYTHONDONTWRITEBYTECODE=1; \ 147 | \ 148 | python get-pip.py \ 149 | --disable-pip-version-check \ 150 | --no-cache-dir \ 151 | --no-compile \ 152 | "pip==$PYTHON_PIP_VERSION" \ 153 | ; \ 154 | rm -f get-pip.py; \ 155 | \ 156 | pip --version 157 | 158 | ## Setup Supervisor 159 | WORKDIR /usr/local/src 160 | 161 | RUN set -ex \ 162 | \ 163 | && savedAptMark="$(apt-mark showmanual)" \ 164 | && apt-get update \ 165 | && apt-get install -y --no-install-recommends git \ 166 | curl \ 167 | && apt-get install -y gcc \ 168 | g++ \ 169 | && pip install git+https://github.com/Supervisor/supervisor \ 170 | && cd /usr/bin \ 171 | && ln -s /usr/local/bin/echo_supervisord_conf . \ 172 | && ln -s /usr/local/bin/pidproxy . \ 173 | && ln -s /usr/local/bin/supervisorctl . \ 174 | && ln -s /usr/local/bin/supervisord . 175 | 176 | ## LogonTracer install 177 | WORKDIR /usr/local/src 178 | 179 | RUN git clone https://github.com/JPCERTCC/LogonTracer.git \ 180 | && chmod 777 /usr/local \ 181 | && chmod 777 /usr/local/src \ 182 | && chmod 777 LogonTracer \ 183 | && chmod 777 LogonTracer/static \ 184 | && chmod 777 LogonTracer/logs \ 185 | && cd LogonTracer \ 186 | && python -m pip install --upgrade pip \ 187 | && pip install cython \ 188 | && pip install numpy \ 189 | && pip install scipy \ 190 | && pip install statsmodels \ 191 | && pip install -r requirements.txt \ 192 | && unlink /var/lib/neo4j/data \ 193 | && mkdir -p /var/lib/neo4j/data/databases \ 194 | && tar xzf sample/data.tar.gz -C /var/lib/neo4j/ 195 | 196 | ## Create supervisord.conf 197 | RUN touch /etc/supervisord.conf \ 198 | && echo "[supervisord]" >> /etc/supervisord.conf \ 199 | && echo "nodaemon=true" >> /etc/supervisord.conf \ 200 | && echo "[program:neo4j]" >> /etc/supervisord.conf \ 201 | && echo "command=/docker-entrypoint.sh neo4j" >> /etc/supervisord.conf \ 202 | && echo "[program:logontracer]" >> /etc/supervisord.conf \ 203 | && echo "command=/usr/local/src/run.sh" >> /etc/supervisord.conf 204 | 205 | ## Create setup file 206 | RUN echo "#!/bin/bash" > run.sh \ 207 | && echo "cd /usr/local/src/LogonTracer" >> run.sh \ 208 | && echo "python logontracer.py -r -o 8080 -u neo4j -p password -s \${LTHOSTNAME}" >> run.sh \ 209 | && chmod 755 run.sh 210 | 211 | ## Set env 212 | RUN sed -i -e "3i NEO4J_EDITION=community" /docker-entrypoint.sh 213 | 214 | WORKDIR /var/lib/neo4j 215 | 216 | EXPOSE 8080 217 | 218 | CMD ["supervisord", "-n"] 219 | -------------------------------------------------------------------------------- /docker/README.md: -------------------------------------------------------------------------------- 1 | # docker-LogonTracer 2 | Dockerfile for LogonTracer. 3 | The Docker image is the following URL. 4 | https://hub.docker.com/r/jpcertcc/docker-logontracer/ 5 | 6 | ## Usage 7 | ```shell 8 | $ docker run \ 9 | --detach \ 10 | --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 \ 11 | -e LTHOSTNAME=[IP Address] \ 12 | jpcertcc/docker-logontracer 13 | ``` 14 | -------------------------------------------------------------------------------- /es-index/logontracer-host-index.json: -------------------------------------------------------------------------------- 1 | { 2 | "settings": { 3 | "number_of_shards": 1 4 | }, 5 | "mappings": { 6 | "properties": { 7 | "@timestamp": { 8 | "type": "date", 9 | "format": "strict_date_optional_time_nanos" 10 | }, 11 | "IP": { 12 | "type": "text" 13 | }, 14 | "hostname": { 15 | "type": "text" 16 | }, 17 | "rank": { 18 | "type": "double" 19 | } 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /es-index/logontracer-user-index.json: -------------------------------------------------------------------------------- 1 | { 2 | "settings": { 3 | "number_of_shards": 1 4 | }, 5 | "mappings": { 6 | "properties": { 7 | "@timestamp": { 8 | "type": "date", 9 | "format": "strict_date_optional_time_nanos" 10 | }, 11 | "user": { 12 | "type": "keyword" 13 | }, 14 | "rights": { 15 | "type": "keyword" 16 | }, 17 | "sid": { 18 | "type": "keyword" 19 | }, 20 | "status": { 21 | "type": "text" 22 | }, 23 | "rank": { 24 | "type": "double" 25 | } 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /images/add-new-case-bar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/add-new-case-bar.png -------------------------------------------------------------------------------- /images/add-new-case.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/add-new-case.png -------------------------------------------------------------------------------- /images/case-manage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/case-manage.png -------------------------------------------------------------------------------- /images/casemng.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/casemng.png -------------------------------------------------------------------------------- /images/delcase.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/delcase.png -------------------------------------------------------------------------------- /images/delcasemng.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/delcasemng.png -------------------------------------------------------------------------------- /images/diff_panel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/diff_panel.png -------------------------------------------------------------------------------- /images/filter_panel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/filter_panel.png -------------------------------------------------------------------------------- /images/gpedit1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/gpedit1.png -------------------------------------------------------------------------------- /images/gpedit2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/gpedit2.png -------------------------------------------------------------------------------- /images/kibana.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/kibana.png -------------------------------------------------------------------------------- /images/load-from-es.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/load-from-es.png -------------------------------------------------------------------------------- /images/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/login.png -------------------------------------------------------------------------------- /images/logo.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /images/logo_top.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /images/logontracer-w-es.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/logontracer-w-es.png -------------------------------------------------------------------------------- /images/nav_bar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/nav_bar.png -------------------------------------------------------------------------------- /images/node_blue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/node_blue.png -------------------------------------------------------------------------------- /images/node_green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/node_green.png -------------------------------------------------------------------------------- /images/node_red.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/node_red.png -------------------------------------------------------------------------------- /images/rank.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/rank.png -------------------------------------------------------------------------------- /images/sample.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/sample.png -------------------------------------------------------------------------------- /images/sample_dark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/sample_dark.png -------------------------------------------------------------------------------- /images/side_bar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/side_bar.png -------------------------------------------------------------------------------- /images/signup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/signup.png -------------------------------------------------------------------------------- /images/timeline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/timeline.png -------------------------------------------------------------------------------- /images/timeline_graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/timeline_graph.png -------------------------------------------------------------------------------- /images/upload.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/upload.gif -------------------------------------------------------------------------------- /images/upload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/upload.png -------------------------------------------------------------------------------- /images/user-manage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/images/user-manage.png -------------------------------------------------------------------------------- /logs/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/logs/.gitkeep -------------------------------------------------------------------------------- /model/hmm.pkl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/model/hmm.pkl -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | numpy 2 | py2neo>=2020.0.0 3 | evtx 4 | lxml 5 | scipy 6 | changefinder 7 | flask 8 | hmmlearn>=0.2.8 9 | scikit-learn 10 | elasticsearch-dsl>=7.0.0,<8.0.0 11 | pyyaml 12 | flask-sqlalchemy 13 | flask-login 14 | flask_wtf 15 | wtforms 16 | GitPython 17 | sigmatools -------------------------------------------------------------------------------- /sample/README.md: -------------------------------------------------------------------------------- 1 | # How to Use 2 | ## Security.evtx 3 | AD security event sample 4 | ``` 5 | $ python3 logontracer.py -e Security.evtx -z [TIMEZONE] -u [NEO4J_USER] -p [PASSWORD] -s [NEO4J_SERVER] 6 | ``` 7 | ## graph.db.tar.gz 8 | neo4j database sample 9 | ``` 10 | $ tar xvzf graph.db.tar.gz -C [neo4j]/data/databases/ 11 | ``` 12 | -------------------------------------------------------------------------------- /sample/Security.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/sample/Security.evtx -------------------------------------------------------------------------------- /sample/data.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/sample/data.tar.gz -------------------------------------------------------------------------------- /sample/graph.db.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/sample/graph.db.tar.gz -------------------------------------------------------------------------------- /static/css/dark-mode.css: -------------------------------------------------------------------------------- 1 | [data-theme="dark"] { 2 | background-color: #202020; 3 | color: #eee; 4 | } 5 | 6 | [data-theme="dark"] .bg-light { 7 | background-color: #292929 !important; 8 | } 9 | 10 | [data-theme="dark"] .bg-white { 11 | background-color: #000; 12 | } 13 | 14 | [data-theme="dark"] .bg-black { 15 | background-color: #eee; 16 | } 17 | 18 | [data-theme="dark"] .list-group-item-light.list-group-item-action:focus { 19 | color: WHITE; 20 | background-color: #6c757d; 21 | } 22 | 23 | [data-theme="dark"] .list-group-item-light.list-group-item-action:hover { 24 | color: WHITE; 25 | background-color: #6c757d; 26 | } 27 | 28 | [data-theme="dark"] .list-group-item-light { 29 | color: WHITE; 30 | background-color: #202020; 31 | border: 1px solid WHITE; 32 | } 33 | 34 | [data-theme="dark"] .my_svg { 35 | fill: WHITE; 36 | stroke: WHITE; 37 | height: 50px; 38 | width: 200px; 39 | } 40 | 41 | [data-theme="dark"] .table { 42 | color: WHITE; 43 | background-color: #202020; 44 | --bs-table-bg: initial; 45 | --bs-table-color: initial; 46 | } 47 | 48 | [data-theme="dark"] .tbody { 49 | color: WHITE; 50 | background-image: none; 51 | border-color: WHITE; 52 | } 53 | 54 | [data-theme="dark"] .table .table-light th { 55 | color: WHITE; 56 | background-color: #202020; 57 | border-color: WHITE; 58 | } 59 | 60 | [data-theme="dark"] .table tr { 61 | background-color: #202020; 62 | } 63 | 64 | [data-theme="dark"] .table tr:hover { 65 | color: WHITE; 66 | background-color: #6c757d; 67 | transition: background-color .3s; 68 | } 69 | 70 | [data-theme="dark"] .table-striped tbody tr { 71 | background-color: #202020; 72 | } 73 | 74 | [data-theme="dark"] .table-striped tbody tr:hover { 75 | color: WHITE; 76 | background-color: #6c757d; 77 | transition: background-color .3s; 78 | } 79 | 80 | [data-theme="dark"] .btn-primary { 81 | color: WHITE; 82 | background-color: #6c757d; 83 | border-color: #6c757d; 84 | } 85 | 86 | [data-theme="dark"] .btn-primary:hover { 87 | color: WHITE; 88 | background-color: #545b62; 89 | border-color: #545b62; 90 | transition: background-color .3s; 91 | } 92 | 93 | [data-theme="dark"] .btn-outline-primary { 94 | color: WHITE; 95 | background-color: transparent; 96 | background-image: none; 97 | border-color: WHITE; 98 | } 99 | 100 | [data-theme="dark"] .btn-outline-primary:hover { 101 | color: WHITE; 102 | background-color: #6c757d; 103 | border-color: #ccc; 104 | transition: background-color .3s; 105 | } 106 | 107 | [data-theme="dark"] .btn-outline-secondary { 108 | color: WHITE; 109 | background-color: #202020; 110 | background-image: none; 111 | border-color: WHITE; 112 | } 113 | 114 | [data-theme="dark"] .btn-outline-secondary:hover { 115 | color: WHITE; 116 | background-color: #6c757d; 117 | border-color: #ccc; 118 | transition: background-color .3s; 119 | } 120 | 121 | [data-theme="dark"] .btn-outline-secondary:focus, .btn-outline-secondary.focus { 122 | color: WHITE; 123 | background-color: #6c757d; 124 | border-color: #ccc; 125 | } 126 | 127 | [data-theme="dark"] .modal-content { 128 | background-color: #222; 129 | } 130 | 131 | [data-theme="dark"] .page-link { 132 | color: WHITE; 133 | background-color: transparent; 134 | border: 1px solid WHITE; 135 | } 136 | 137 | [data-theme="dark"] .page-link:hover { 138 | background-color: #6c757d; 139 | transition: background-color .3s; 140 | } 141 | 142 | [data-theme="dark"] .bs-tooltip-top .arrow::before, .bs-tooltip-auto[x-placement^="top"] .arrow::before { 143 | border-top-color: #444; 144 | } 145 | 146 | [data-theme="dark"] .bs-tooltip-bottom .arrow::before, .bs-tooltip-auto[x-placement^="bottom"] .arrow::before { 147 | border-bottom-color: #444; 148 | } 149 | 150 | [data-theme="dark"] .tooltip-inner { 151 | background-color: #444; 152 | } 153 | 154 | [data-theme="dark"] .fa-refresh { 155 | color: WHITE; 156 | } 157 | 158 | [data-theme="dark"] .fa-times { 159 | color: WHITE; 160 | } 161 | 162 | [data-theme="dark"] .dropdown-menu { 163 | color: WHITE; 164 | background-color: #202020; 165 | } 166 | 167 | [data-theme="dark"] .dropdown-item { 168 | color: WHITE; 169 | } 170 | 171 | [data-theme="dark"] .navbar-light .navbar-nav .nav-link { 172 | color: rgba(255, 255, 255, 0.55); 173 | } 174 | 175 | [data-theme="dark"] .dropdown-item:hover { 176 | color: Black; 177 | } 178 | 179 | [data-theme="dark"] .dropdown-item:active { 180 | color: Black; 181 | } 182 | 183 | [data-theme="dark"] .bgcolorSun { 184 | background-color: #ff5050 !important; 185 | } 186 | 187 | [data-theme="dark"] .bgcolorSat { 188 | background-color: #5891db !important; 189 | } 190 | 191 | [data-theme="dark"] .bgcolorDay { 192 | background-color: #202020 !important; 193 | } 194 | 195 | [data-theme="dark"] .bgcolornormal { 196 | background-color: #4d0715 !important; 197 | } 198 | 199 | [data-theme="dark"] .bgcolorlow { 200 | background-color: #800b23 !important; 201 | } 202 | 203 | [data-theme="dark"] .bgcolormid { 204 | background-color: #b31031 !important; 205 | } 206 | 207 | [data-theme="dark"] .bgcolorhigh { 208 | background-color: #dc143c !important; 209 | } 210 | -------------------------------------------------------------------------------- /static/css/style.css: -------------------------------------------------------------------------------- 1 | #loading { 2 | position: absolute; 3 | left: 0; 4 | top: 50%; 5 | width: 100%; 6 | text-align: center; 7 | margin-top: -0.5em; 8 | font-size: 4em; 9 | color: #000; 10 | } 11 | 12 | #loading.loaded { 13 | display: none; 14 | } 15 | 16 | table.floatThead-table { 17 | border-top: none; 18 | border-bottom: none; 19 | background-color: #efefef; 20 | } 21 | 22 | .dropdown-menu { 23 | z-index: 10000; 24 | } 25 | 26 | .custom-checkbox .custom-control-input:checked ~ .custom-control-label::before { 27 | background-color:blue; 28 | } 29 | 30 | .my_svg { 31 | height: 50px; 32 | width: 200px; 33 | } 34 | 35 | .navbar { 36 | z-index: 10000; 37 | } 38 | 39 | .modal { 40 | z-index: 100000; 41 | } 42 | 43 | .tooltip { 44 | z-index: 110000; 45 | } 46 | 47 | .bgcolorSun { 48 | background-color: #ff7f50 !important; 49 | } 50 | 51 | .bgcolorSat { 52 | background-color: #b0c4de !important; 53 | } 54 | 55 | .bgcolorDay { 56 | background-color: #efefef !important; 57 | } 58 | 59 | .bgcolornormal { 60 | background-color: #ffeaee !important; 61 | } 62 | 63 | .bgcolorlow { 64 | background-color: #ffbaee !important; 65 | } 66 | 67 | .bgcolormid { 68 | background-color: #ff8aee !important; 69 | } 70 | 71 | .bgcolorhigh { 72 | background-color: #ff5aee !important; 73 | } 74 | 75 | .login-form { 76 | max-width: none !important; 77 | width: 415px; 78 | } 79 | 80 | .login-form input#username, input#password, input#password1, input#password2, input#case { 81 | max-width: none !important; 82 | width: 370px; 83 | height: 2.4em; 84 | padding: 0 16px; 85 | border-radius: 4px; 86 | border: none; 87 | box-shadow: 0 0 0 1px #ccc inset; 88 | appearance: none; 89 | -webkit-appearance: none; 90 | -moz-appearance: none; 91 | } 92 | 93 | .drop-hover:hover > .dropdown-menu { 94 | display: block !important; 95 | margin-left: 100%; 96 | margin-top: -22%; 97 | } 98 | -------------------------------------------------------------------------------- /static/images/elastic-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/LogonTracer/b814fef899e9057af54f2f551d7e7cd6988fb488/static/images/elastic-logo.png -------------------------------------------------------------------------------- /static/images/logo_timeline.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | image/svg+xml 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /static/images/logo_top.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | image/svg+xml 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /static/js/dark-mode-switch.min.js: -------------------------------------------------------------------------------- 1 | const darkSwitch=document.getElementById("darkSwitch");function initTheme(){const e=null!==localStorage.getItem("darkSwitch")&&"dark"===localStorage.getItem("darkSwitch");darkSwitch.checked=e,e?document.body.setAttribute("data-theme","dark"):document.body.removeAttribute("data-theme")}function resetTheme(){darkSwitch.checked?(document.body.setAttribute("data-theme","dark"),localStorage.setItem("darkSwitch","dark")):(document.body.removeAttribute("data-theme"),localStorage.removeItem("darkSwitch"))}window.addEventListener("load",()=>{darkSwitch&&(initTheme(),darkSwitch.addEventListener("change",()=>{resetTheme()}))}); -------------------------------------------------------------------------------- /templates/addcase.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 19 | 20 |
21 |
22 |
23 | 41 |
42 |
43 |
44 | 45 | 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /templates/casemng.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 21 | 22 |
23 |
24 |
25 | 46 |
47 |
48 |
49 | 116 | 117 | 118 | 119 | 120 | 121 | -------------------------------------------------------------------------------- /templates/changecase.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 21 | 22 |
23 |
24 |
25 | 41 |
42 |
43 |
44 | 80 | 81 | 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /templates/delcase.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 21 | 22 |
23 |
24 |
25 | 41 |
42 |
43 |
44 | 82 | 83 | 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /templates/delcasemng.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 21 | 22 |
23 |
24 |
25 |
26 |
27 |

Delete Access to Case

28 | {{ messages | safe }} 29 |
30 |
31 | 32 | Cancel 33 |
34 |
35 |
36 |
37 |
38 |
39 | 103 | 104 | 105 | 106 | 107 | 108 | -------------------------------------------------------------------------------- /templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | LogonTracer 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 109 | 110 |
111 |
112 |
113 |
114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | Sigma Scan 130 |
131 |
132 | Add event value
133 |
134 | 135 | 136 | 137 | 138 | 139 | 140 |
141 |
142 | Graph mode
143 |
144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 |
153 |
154 | Rank visualize mode
155 | 156 |
157 | Upload
158 | 159 |
160 | Elasticsearch
161 | 162 |
163 |
164 |
165 |
166 |
167 |
168 | 169 |
170 |
171 |
172 |
173 | 177 |
178 | 182 |
183 |
184 |
185 | 186 | 234 | 235 | 298 | 299 | 376 | 377 | 378 | 414 | 415 | 431 | 535 | 536 | 537 | 538 | -------------------------------------------------------------------------------- /templates/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
16 |
17 |
18 | 45 |
46 |
47 |
48 | 49 | 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /templates/setting.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 19 | 20 |
21 |
22 |
23 | 46 |
47 |
48 |
49 | 50 | 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /templates/signup.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 19 | 20 |
21 |
22 |
23 | 59 |
60 |
61 |
62 | 63 | 64 | 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /templates/timeline.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | LogonTracer 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 100 | 101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /templates/usermng.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | LogonTracer 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 21 | 22 |
23 |
24 |
25 |
26 |
27 |

User Management

28 |
29 |
30 | 31 | 32 | 33 | Cancel 34 |
35 |
36 |
37 |
38 |
39 |
40 | 86 | 87 | 88 | 89 | 90 | 91 | --------------------------------------------------------------------------------