Hayabusa (隼, Japanese for "peregrine falcon") is a Sigma-based threat-hunting and fast-forensics timeline generator for Windows event logs, developed by Yamato Security in Rust. It parses .evtx files (offline or via live analysis of a local host), applies a large built-in library of Sigma detection rules plus Hayabusa-specific rules, and produces a single, readable, chronological timeline of high-signal events with severity levels, MITRE ATT&CK tactics, and rule references. This collapses thousands of raw event-log records into a prioritized incident timeline that an analyst can review quickly.
Hayabusa is purpose-built for DFIR triage. Instead of loading EVTX into a SIEM, an investigator runs a single binary against a directory of collected logs and gets a CSV or JSON timeline plus metrics (events per computer, per Event ID, per channel). Because detections are Sigma-based, coverage tracks the open detection-engineering community, and rules can be updated on demand with update-rules. The tool's output integrates with downstream analysis: CSV opens in Timeline Explorer, JSONL feeds into jq, and timesketch-* profiles export directly into Timesketch.
A frequent finding in Hayabusa timelines is malicious PowerShell — MITRE ATT&CK T1059.001 (Command and Scripting Interpreter: PowerShell) — surfaced via Sigma rules over Event ID 4104 (script-block logging), 4103, and Sysmon process creation. This skill maps to NIST CSF RS.AN-03 (analysis is performed to establish what has taken place during an incident).
.evtx files into a prioritized timeline.# Linux example
curl -LO https://github.com/Yamato-Security/hayabusa/releases/latest/download/hayabusa-3.0.0-lin-x64-gnu.zip
unzip hayabusa-*.zip && cd hayabusa-*
./hayabusa-3.0.0-lin-x64-gnu --version
Or build from source (rules are a submodule):
git clone https://github.com/Yamato-Security/hayabusa.git --recursive
cd hayabusa && cargo build --release
.evtx files (or run with --live-analysis on the host, as Administrator)../hayabusa update-rules
jq for JSONL..evtx files.| Technique ID | Official Name | Why Hayabusa Detects It |
|---|---|---|
| T1059.001 | Command and Scripting Interpreter: PowerShell | Sigma rules over Event IDs 4104/4103 and Sysmon flag malicious PowerShell |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Rules over process-creation events surface suspicious cmd usage |
| T1078 | Valid Accounts | Logon events (4624/4625/4672) reveal anomalous authentication |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Rules over registry-modification events flag persistence |
| T1053.005 | Scheduled Task/Job: Scheduled Task | Event ID 4698/106 rules surface task creation |
| T1003 | OS Credential Dumping | Rules flag LSASS access and credential-dumping patterns |
Pull the latest Sigma and Hayabusa rules before every investigation.
./hayabusa update-rules
Point Hayabusa at a directory of .evtx files and write a CSV timeline. -w skips the interactive wizard for scripted runs.
./hayabusa csv-timeline -d ./collected_evtx -o timeline.csv -w
# UTC timestamps for cross-host correlation
./hayabusa csv-timeline -d ./collected_evtx -o timeline_utc.csv -U -w
Profiles control detail. Use verbose to include MITRE ATT&CK tactics, tags, and the source rule/EVTX file; all-field-info to retain every original field.
# Verbose: adds MITRE tactics, tags, rule file, evtx file
./hayabusa csv-timeline -d ./collected_evtx -o timeline_verbose.csv -p verbose -w
# Preserve all original event fields
./hayabusa csv-timeline -d ./collected_evtx -o timeline_full.csv -p all-field-info -w
Available profiles: minimal, standard (default), verbose, all-field-info, all-field-info-verbose, super-verbose, timesketch-minimal, timesketch-verbose.
Focus triage on the highest-confidence detections with -m/--min-level.
./hayabusa csv-timeline -d ./collected_evtx -o critical.csv -m high -w
Levels: informational, low, medium, high, critical.
JSONL feeds cleanly into jq and downstream pipelines.
./hayabusa json-timeline -d ./collected_evtx -L -o timeline.jsonl -w
# Example: top rule titles
jq -r '.RuleTitle' timeline.jsonl | sort | uniq -c | sort -rn | head
Summaries reveal which hosts and Event IDs dominate, and pivot keywords give hunting leads.
./hayabusa computer-metrics -d ./collected_evtx -o computers.csv
./hayabusa eid-metrics -d ./collected_evtx -o eid.csv
./hayabusa log-metrics -d ./collected_evtx -o logs.csv
./hayabusa pivot-keywords-list -d ./collected_evtx -m medium -o pivots
Use the search command for keyword or regex hunting independent of detection rules.
# Keyword search (case-insensitive) for a suspicious binary
./hayabusa search -d ./collected_evtx -k "powershell" -i
# Regex search for base64-looking PowerShell encoded commands
./hayabusa search -d ./collected_evtx -r "-[Ee]nc(odedCommand)?\s+[A-Za-z0-9+/=]{20,}"
On the affected machine (Administrator), analyze local logs without exporting first.
./hayabusa csv-timeline -l -o live_timeline.csv -m high -w
| Tool | Purpose | Source |
|---|---|---|
| Hayabusa | Sigma-based EVTX timeline/threat hunting | https://github.com/Yamato-Security/hayabusa |
| hayabusa-rules | Sigma + Hayabusa detection rules | https://github.com/Yamato-Security/hayabusa-rules |
| Takajō | Hayabusa results analyzer | https://github.com/Yamato-Security/takajo |
| Timeline Explorer | Review CSV timelines | https://ericzimmerman.github.io/ |
| Timesketch | Collaborative timeline analysis | https://timesketch.org/ |
| Sigma | Generic detection rule format | https://github.com/SigmaHQ/sigma |
--version confirmed.update-rules before analysis..evtx directory.