Have hayabusa look at other event IDs too when using logon-summary

[mischw]

I came across a set of evtx files where a logon in the security log (ID 4624) was already deleted (brute force flooded the log) but I could still find it in other places like Microsoft-Windows-TerminalServices-LocalSessionManager with an corresponding event ID 21 (RDP). Hayabusa did not find a logon when using logon-summary. Are there plans to have it look at some of the other IDs too, like the mentioned 21, in case the 4624 have been flooded out?

[YamatoSecurity]

@mischw Thanks for the suggestion! Sure we can add that in there.

[mischw]

That is great to hear. Thanks for considering! I am no expert with Windows Event Logs but besides the ID 21 I also found the Event ID 25 which is an RDP reconnect event and also contains an IP-address. There might be even more though.

Maybe that is also a nice addition to the takajo stack-logons command.