How to install Hayabusa on Windows?

Download the pre-compiled binary from the Releases page, but be prepared to add anti-virus exclusions due to false positives. For live response, use the XOR-encoded packages to minimize file writes and alerts.

Hayabusa vs. Sigma CLI: which is better for Windows log analysis?

Hayabusa is a full timeline generator with Sigma rule support, optimized for fast forensics and threat hunting, while Sigma CLI is primarily for rule conversion. Hayabusa offers more integrated analysis features like pivot lists and Velociraptor integration.

How to integrate Hayabusa with Velociraptor?

Use the Hayabusa artifact from the Velociraptor exchange; the README links to a walkthrough video showing how to deploy it for enterprise-wide threat hunting, essentially retrofitting SIEM capabilities.

What's the best way to reduce false positives in Hayabusa?

Start with the scan wizard to load core rules only, use the level-tuning command to adjust alert levels, and exclude noisy rules via config files. The README emphasizes tuning for your environment to minimize noise.

Can Hayabusa analyze live event logs on a running Windows system?

Yes, use the -l option for live analysis on the local system, but note that real-time protection in Windows Defender may slow the first run, requiring exclusions or temporary disabling.

How to export Hayabusa results to Elasticsearch?

The README includes a dedicated guide for importing CSV timelines into Elastic Stack, detailing steps for data mapping and visualization to support further analysis.

Hayabusa — Windows Event Log Forensics Tool

What is Hayabusa?

Hayabusa is a Sigma-based threat hunting and fast forensics timeline generator for Windows event logs. It parses Windows event logs to detect malicious activity using Sigma rules and creates consolidated timelines for analysis, solving the problem of tedious and noisy log analysis in DFIR investigations.

Target Audience

Digital forensics and incident response (DFIR) analysts, threat hunters, and Windows system administrators who need to analyze Windows event logs for security investigations.

Value Proposition

Developers choose Hayabusa for its speed, comprehensive Sigma rule support, and ability to generate easy-to-analyze timelines. It is the only open-source tool with full Sigma v2 correlation rule support and integrates seamlessly with Velociraptor for enterprise-wide threat hunting.

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

Use Cases

Best For

Generating fast forensics timelines from Windows event logs
Threat hunting across enterprise endpoints using Sigma rules
Analyzing Windows event logs for incident response investigations
Integrating with Velociraptor for scalable DFIR workflows
Extracting and decoding Base64 strings from event log data
Creating pivot keyword lists to identify suspicious activity

Not Ideal For

Environments with exclusively Linux or macOS logs and no Windows event logs to analyze
Teams needing real-time, continuous SIEM alerting without retrospective analysis capabilities
Simple log review tasks where basic command-line tools like grep or built-in Windows Event Viewer suffice
Organizations requiring vendor-supported, certified tools for strict regulatory compliance audits

Pros & Cons

Pros

Extensive Sigma Rule Support

Hayabusa offers full Sigma specification support including v2 correlation rules, with over 4000 curated detection rules, providing broad coverage for Windows threat detection.

High Performance Cross-Platform

Written in memory-safe Rust with multi-threading, it delivers fast processing on Windows, Linux, and macOS, as evidenced by benchmarks showing up to 5x speed improvements.

Enterprise Threat Hunting Integration

Seamlessly integrates with Velociraptor via a dedicated artifact, enabling scalable DFIR across endpoints and effectively retrofitting SIEM capabilities in environments without one.

Comprehensive Analysis Features

Includes advanced commands like logon summaries, pivot keyword lists, and Base64 extraction, aiding in deep-dive investigations and data correlation from event logs.

Cons

Anti-Virus Interference

The README warns that anti-virus/EDR products often flag Hayabusa or its YAML rules due to keywords like 'mimikatz', requiring manual exclusions and potentially slowing first runs.

Windows-Event Log Centric

While it supports JSON input, its core functionality is optimized for Windows EVTX files, making it less suitable for heterogeneous environments with diverse log sources.

Complex Configuration Overhead

Managing thousands of YAML rules, config files, and tuning options (e.g., level-tuning, scan wizard) can be overwhelming, requiring significant expertise to avoid false positives.

Frequently Asked Questions

What is Hayabusa?

Target Audience

Digital forensics and incident response (DFIR) analysts, threat hunters, and Windows system administrators who need to analyze Windows event logs for security investigations.

Value Proposition

Use Cases

Best For

Generating fast forensics timelines from Windows event logs
Threat hunting across enterprise endpoints using Sigma rules
Analyzing Windows event logs for incident response investigations
Integrating with Velociraptor for scalable DFIR workflows
Extracting and decoding Base64 strings from event log data
Creating pivot keyword lists to identify suspicious activity

Not Ideal For

Environments with exclusively Linux or macOS logs and no Windows event logs to analyze
Teams needing real-time, continuous SIEM alerting without retrospective analysis capabilities
Simple log review tasks where basic command-line tools like grep or built-in Windows Event Viewer suffice
Organizations requiring vendor-supported, certified tools for strict regulatory compliance audits

Pros & Cons

Pros

Extensive Sigma Rule Support

Hayabusa offers full Sigma specification support including v2 correlation rules, with over 4000 curated detection rules, providing broad coverage for Windows threat detection.

High Performance Cross-Platform

Written in memory-safe Rust with multi-threading, it delivers fast processing on Windows, Linux, and macOS, as evidenced by benchmarks showing up to 5x speed improvements.

Enterprise Threat Hunting Integration

Seamlessly integrates with Velociraptor via a dedicated artifact, enabling scalable DFIR across endpoints and effectively retrofitting SIEM capabilities in environments without one.

Comprehensive Analysis Features

Includes advanced commands like logon summaries, pivot keyword lists, and Base64 extraction, aiding in deep-dive investigations and data correlation from event logs.

Cons

Anti-Virus Interference

The README warns that anti-virus/EDR products often flag Hayabusa or its YAML rules due to keywords like 'mimikatz', requiring manual exclusions and potentially slowing first runs.

Windows-Event Log Centric

While it supports JSON input, its core functionality is optimized for Windows EVTX files, making it less suitable for heterogeneous environments with diverse log sources.

Complex Configuration Overhead

Managing thousands of YAML rules, config files, and tuning options (e.g., level-tuning, scan wizard) can be overwhelming, requiring significant expertise to avoid false positives.

Frequently Asked Questions

Hayabusa

What is Hayabusa?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

Hayabusa

What is Hayabusa?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?