Hayabusa
Overview
Hayabusa is a Windows event log (EVTX) fast forensics and threat hunting tool written in Rust by the Yamato Security team. It parses Windows Event Log files, correlates them against Sigma-compatible detection rules (shipped with thousands of built-in rules), maps detections to MITRE ATT&CK tactics and techniques, and generates actionable timelines in CSV, JSON, JSONL, or HTML formats. It supports live analysis on running Windows systems and offline analysis of collected EVTX files from incident response engagements.
Installation
Windows (pre-compiled binary — recommended)
# Download from GitHub Releases
Invoke-WebRequest -Uri https://github.com/Yamato-Security/hayabusa/releases/latest/download/hayabusa-2.x.x-win-x64.zip -OutFile hayabusa.zip
Expand-Archive hayabusa.zip -DestinationPath hayabusa
cd hayabusa
.\hayabusa.exe --versionLinux (pre-compiled binary)
wget https://github.com/Yamato-Security/hayabusa/releases/latest/download/hayabusa-2.x.x-linux-x64-gnu.tar.gz
tar xzf hayabusa-*.tar.gz
chmod +x hayabusa
./hayabusa --versionmacOS
# ARM (Apple Silicon)
wget https://github.com/Yamato-Security/hayabusa/releases/latest/download/hayabusa-2.x.x-mac-arm.tar.gz
tar xzf hayabusa-*.tar.gz && chmod +x hayabusa
# Intel
wget https://github.com/Yamato-Security/hayabusa/releases/latest/download/hayabusa-2.x.x-mac-intel.tar.gz
tar xzf hayabusa-*.tar.gz && chmod +x hayabusa
./hayabusa --versionBuild from source (Rust)
git clone https://github.com/Yamato-Security/hayabusa.git
cd hayabusa
cargo build --release
./target/release/hayabusa --version
# Download latest Sigma rules
./target/release/hayabusa update-rulesUpdate rules
./hayabusa update-rules # Download latest detection rules from GitHub
./hayabusa list-rules # Show all loaded rules with countsConfiguration
Config files
hayabusa/
├── config/
│ ├── channel_abbreviations.txt # Abbreviate channel names in output
│ ├── default_details.txt # Default field extraction per event ID
│ ├── exclude_rules.txt # Rules to always exclude
│ ├── field_data_mapping.txt # Field name normalization
│ ├── mitre_tactics.txt # ATT&CK tactic mappings
│ ├── noisy_rules.txt # Verbose rules to suppress
│ ├── target_event_IDs.txt # Event IDs to process
│ └── log_aliases.yaml # Log source aliases
└── rules/ # Sigma-compatible detection rules
├── hayabusa/ # Hayabusa-specific rules
└── sigma/ # Converted Sigma rulesKey configuration options
# config/default_details.txt — defines which fields to extract per event ID
# Format: EventID | Channel | FieldName1, FieldName2
4624 | Security | TargetUserName, LogonType, IpAddress, WorkstationName
4688 | Security | NewProcessName, CommandLine, SubjectUserName, ParentProcessNameRule filtering options
# Use only specific rule levels
./hayabusa csv-timeline -d ./evtx -l low # informational,low,medium,high,critical
./hayabusa csv-timeline -d ./evtx -l medium # medium,high,critical only
# Filter by MITRE ATT&CK tags
./hayabusa csv-timeline -d ./evtx --tags t1059 # Command and Scripting
# Exclude noisy rules
./hayabusa csv-timeline -d ./evtx --exclude-status deprecated,unsupportedCore Commands
| Command | Description |
|---|---|
hayabusa csv-timeline -d ./evtx -o timeline.csv | Generate CSV timeline from EVTX directory |
hayabusa json-timeline -d ./evtx -o timeline.jsonl | Generate JSONL timeline |
hayabusa csv-timeline -f Security.evtx -o out.csv | Analyze single EVTX file |
hayabusa csv-timeline -d ./evtx -l high | Only high/critical alerts |
hayabusa csv-timeline -d ./evtx -o out.csv --HTML-report report.html | Include HTML report |
hayabusa csv-timeline -d ./evtx -t t1059 | Filter by ATT&CK technique |
hayabusa csv-timeline -d ./evtx --no-wizard | Skip interactive prompts |
hayabusa pivot-keywords-list -d ./evtx -o keywords.txt | Extract pivot keywords |
hayabusa computer-metrics -d ./evtx | Count events per computer |
hayabusa eid-metrics -d ./evtx | Count events by Event ID |
hayabusa logon-summary -d ./evtx | Summarize logon events |
hayabusa search -d ./evtx -k "mimikatz" | Keyword search across logs |
hayabusa search -d ./evtx -r regex_pattern | Regex search |
hayabusa list-rules | List all loaded detection rules |
hayabusa update-rules | Update rules from GitHub |
hayabusa level-tuning | Interactively tune rule levels |
hayabusa set-default-profile | Set default output profile |
hayabusa show-config | Display current configuration |
Advanced Usage
Live analysis on Windows systems
# Analyze live Windows event logs (run as Administrator)
.\hayabusa.exe csv-timeline --live-analysis -o live-timeline.csv
# Live analysis with specific log path
.\hayabusa.exe csv-timeline --live-analysis -l high -o critical-alerts.csv
# Real-time monitoring (continuous output)
.\hayabusa.exe csv-timeline --live-analysis --UTC -o live.csvTimeline output profiles
| Profile | Fields | Use Case |
|---|---|---|
minimal | Timestamp, RuleTitle, Level | Quick triage |
standard | + Computer, Channel, EventID, Details | Default analysis |
verbose | + MITRE tags, Rule author, all fields | Detailed investigation |
all-field-info | All raw event fields | Deep forensics |
super-verbose | Everything including raw XML | Evidence preservation |
# Set profile
./hayabusa csv-timeline -d ./evtx -p verbose -o timeline.csv
./hayabusa csv-timeline -d ./evtx -p all-field-info -o full.csvOutput format options
# CSV (open in Excel / Timeline Explorer)
./hayabusa csv-timeline -d ./evtx -o timeline.csv
# JSONL (one JSON object per line — best for SIEM ingestion)
./hayabusa json-timeline -d ./evtx -o timeline.jsonl
# JSON array
./hayabusa json-timeline -d ./evtx --JSONL-output false -o timeline.json
# Include HTML summary report
./hayabusa csv-timeline -d ./evtx -o timeline.csv --HTML-report report.html
# No color (for piping / log files)
./hayabusa csv-timeline -d ./evtx -o timeline.csv --no-colorEvent statistics and triage
# Count events per Event ID (triage starting point)
./hayabusa eid-metrics -d ./evtx -o eid-counts.csv
# Show logon events summary (who logged on, from where)
./hayabusa logon-summary -d ./evtx
# Pivot keywords — extract unique values for threat hunting pivots
./hayabusa pivot-keywords-list -d ./evtx -o pivots.txt
# Count events per source computer
./hayabusa computer-metrics -d ./evtx
# Time zone correction
./hayabusa csv-timeline -d ./evtx -o timeline.csv --UTC
./hayabusa csv-timeline -d ./evtx -o timeline.csv -t "UTC+9"Sigma rule integration
# Use only Hayabusa built-in rules (no Sigma)
./hayabusa csv-timeline -d ./evtx --exclude-status deprecated --rules ./rules/hayabusa
# Use custom Sigma rules directory
./hayabusa csv-timeline -d ./evtx -r ./my-sigma-rules/
# List all rules with their details
./hayabusa list-rules --output rules-list.csv
# Exclude specific rule by title
./hayabusa csv-timeline -d ./evtx --exclude-tag deprecated
# Only run rules for a specific MITRE tactic
./hayabusa csv-timeline -d ./evtx --tags TA0002 # Execution
./hayabusa csv-timeline -d ./evtx --tags TA0003 # Persistence
./hayabusa csv-timeline -d ./evtx --tags TA0004 # Privilege Escalation
./hayabusa csv-timeline -d ./evtx --tags TA0005 # Defense Evasion
./hayabusa csv-timeline -d ./evtx --tags TA0008 # Lateral MovementKeyword and regex search
# Search for specific string across all event logs
./hayabusa search -d ./evtx -k "powershell -enc"
./hayabusa search -d ./evtx -k "mimikatz"
./hayabusa search -d ./evtx -k "sekurlsa"
# Case-insensitive search
./hayabusa search -d ./evtx -k "LSASS" --case-insensitive
# Regex search
./hayabusa search -d ./evtx -r "cmd\.exe.*\/c.*whoami"
./hayabusa search -d ./evtx -r "net (user|group|localgroup)"
# Search in specific field
./hayabusa search -d ./evtx -k "attacker@evil.com" --field SubjectUserName
# Output search results
./hayabusa search -d ./evtx -k "pass" -o search-results.csvCommon Workflows
Initial DFIR triage workflow
# Step 1: Get event statistics to understand log volume
./hayabusa eid-metrics -d ./evtx -o eid-stats.csv
# Step 2: Get logon summary for account activity overview
./hayabusa logon-summary -d ./evtx -o logon-summary.csv
# Step 3: Generate high/critical alert timeline
./hayabusa csv-timeline -d ./evtx -l high -o high-alerts.csv
# Step 4: Generate full timeline for context
./hayabusa csv-timeline -d ./evtx -l low -p verbose -o full-timeline.csv
# Step 5: Extract pivot keywords
./hayabusa pivot-keywords-list -d ./evtx -o pivots.txt
# Step 6: Search for specific indicators
./hayabusa search -d ./evtx -k "attacker-hostname" -o ioc-hits.csvHunting for specific attack patterns
# Lateral movement detection
./hayabusa csv-timeline -d ./evtx --tags t1021 -o lateral-movement.csv
# Credential access
./hayabusa csv-timeline -d ./evtx --tags t1003 -o credential-access.csv
# Defense evasion
./hayabusa csv-timeline -d ./evtx --tags t1562 -o defense-evasion.csv
# PowerShell execution
./hayabusa csv-timeline -d ./evtx --tags t1059.001 -o powershell.csv
# Scheduled task persistence
./hayabusa csv-timeline -d ./evtx --tags t1053 -o scheduled-tasks.csvCombining with Timeline Explorer (Windows)
# Generate CSV timeline
.\hayabusa.exe csv-timeline -d C:\Cases\Evidence\evtx -o timeline.csv -p verbose
# Open in Timeline Explorer for visual analysis
# https://ericzimmerman.github.io/#!index.md (Eric Zimmerman tools)
# Filter, pivot, and export from the GUIAutomating collection and analysis
# Collect EVTX files and analyze (IR script)
$case = "CASE-$(Get-Date -Format 'yyyyMMdd')"
New-Item -ItemType Directory -Path C:\Cases\$case
Get-ChildItem C:\Windows\System32\winevt\Logs\*.evtx | Copy-Item -Destination C:\Cases\$case\evtx\
# Analyze
.\hayabusa.exe csv-timeline `
-d C:\Cases\$case\evtx `
-o C:\Cases\$case\timeline.csv `
-l medium `
--HTML-report C:\Cases\$case\report.html `
--no-wizardSIEM ingestion workflow
# Generate JSONL for Elasticsearch / Splunk / OpenSearch
./hayabusa json-timeline -d ./evtx -o hayabusa.jsonl
# Ingest into Elasticsearch
cat hayabusa.jsonl | while read line; do
curl -s -X POST "http://localhost:9200/hayabusa/_doc" \
-H 'Content-Type: application/json' \
-d "$line"
done
# Or use bulk API
./hayabusa json-timeline -d ./evtx -o hayabusa.jsonl
# Convert to ES bulk format and uploadTips and Best Practices
Run eid-metrics before full timeline generation. Event ID statistics reveal anomalies (e.g., 4688 process creation events in the millions, or absence of expected 4624 logon events) and help scope what to investigate before spending time on full timeline generation.
Start with -l high and expand. Begin triage at high/critical severity to surface the most actionable detections immediately. Once you understand the scope of the incident, re-run at medium or low to catch supporting evidence.
Use pivot-keywords-list to feed into threat hunting. The keywords extracted (unique usernames, hostnames, IPs, process names) are ideal IOCs to search for in other data sources — SIEM, network logs, EDR.
Preserve UTC timestamps. Always use --UTC when analyzing logs from systems in different time zones. Mixing time zones in a timeline is a common source of analysis errors.
Use verbose profiles for evidence reporting. When documenting findings for a legal case or executive report, use -p super-verbose to capture all raw field values as evidence. The standard profile is sufficient for investigation but may miss fields needed for court.
Update rules before every engagement. Run ./hayabusa update-rules before analyzing new evidence. New Sigma rules are added regularly as threat actors evolve their TTPs.
Cross-reference with MITRE ATT&CK Navigator. Export your timeline’s ATT&CK tags and import them into ATT&CK Navigator to visualize which tactics and techniques were observed. This aids in communicating scope to stakeholders.
Collect EVTX files before wiping. If you’re responding to a compromised system, copy C:\Windows\System32\winevt\Logs\*.evtx immediately. Hayabusa can analyze these offline without touching the live system after imaging.
Tune noisy rules for your environment. Add high-frequency, low-signal rules to config/noisy_rules.txt after reviewing them. This reduces timeline noise without disabling rules globally and keeps analysis focused.