Hayabusa: A Powerful Log Analysis Tool for Forensics and Threat Hunting
- Nov 19, 2023
- 5 min read
Updated: Jul 15
Updated on July 15, 2025
By someone who hates dry cybersecurity guides as much as you do
Let’s talk about a seriously underrated threat-hunting combo:
Hayabusa and Sigma rules.
If you're into threat detection, blue teaming, or incident response — or even if you're just curious about how to spot evil from Windows logs — this is one rabbit hole you'll actually enjoy going down.
---------------------------------------------------------------------------------------------------------
🤔 First off, what even is Sigma?
Alright, let’s simplify.
Think of Sigma as the "universal translator" for security logs. It was created by Thomas Patzke and has grown into a massive open-source project supported by the community. Unlike tools like Snort (for network stuff) or YARA (for file-based threats), Sigma deals with log data — like Windows Event Logs, syslogs, cloud logs, etc.
Here's the beauty:
Sigma gives us a platform-agnostic way to describe suspicious behavior. That means you can write a detection rule once and use it across different SIEMs or tools. It’s kind of like writing one email and having it auto-translated for everyone in your office, no matter what language they speak. Handy, right?
---------------------------------------------------------------------------------------------------------
💻 Enter Hayabusa: The Samurai of Windows Log Hunting
Now, what if I told you there’s a tool that reads Windows event logs and automatically applies Sigma rules to hunt for threats?
Say hello to Hayabusa — which literally means “falcon” in Japanese. 🦅 And just like a falcon, this tool is fast, sharp, and built for one thing: spotting evil in your event logs.
Created by Yamato Security, Hayabusa can churn through EVTX files or even JSON-converted logs and flag anomalies based on a growing rule set.
📦 What does Hayabusa support?
Runs on Windows, macOS, and Linux
Accepts:
Local system event logs
Saved .evtx files
Full directories of logs
Outputs:
CSV (for spreadsheet nerds)
HTML (for a pretty summary)
JSON (for API nerds or automation fans)
🔍 Why Should You Care?
Because logs don’t lie — but they do hide things really well.
Windows logs are full of juicy forensic breadcrumbs: logon events, privilege use, command executions, service creations, and more. The problem is, they’re overwhelming. You’ll drown in logs before you spot the one that matters.
Hayabusa + Sigma is like having a log-sniffing dog that doesn’t get tired.
🧠 Quick Tip: Keeping Hayabusa Updated
Threats evolve fast. So should your detections.
With the simple command:
C:\Users\Akash's\Downloads\hayabusa-3.3.0-all-platforms> .\hayabusa-3.3.0-win-x64.exe update-rules
Hayabusa fetches the latest Sigma rules from the official repo and merges them into its detection engine. It’s like giving your detection engine a brain upgrade on the fly.
⚡ Real Use Case: CSV-Timeline (Output)
Let’s say you want to run Hayabusa on your own machine. You just do:
C:\Users\Akash's\Downloads\hayabusa-3.3.0-win-x64-live-response>hayabusa-3.3.0-win-x64.exe csv-timeline -l -o output1.csv
Output:
⚡ Real Use Case: HTML Report
Let’s say you want to run Hayabusa on your own machine and create HTML Report. You just do:
C:\Users\Akash's\Downloads\hayabusa-3.3.0-win-x64-live-response>hayabusa-3.3.0-win-x64.exe csv-timeline -l -o result.csv -H output.html
Boom. You get an HTML summary with clickable links showing which Sigma rule matched and why.
⚠️ One caveat though:
That HTML report is a summary. For the nitty-gritty details, like which process or user triggered the alert, you’ll want to check the CSV output. That’s where the real breadcrumbs are.
📚 Bonus: What Makes Sigma So Awesome?
Over 3000 rules (and counting!) for all types of threats
Can describe behaviors across:
Windows
Linux
macOS
Cloud platforms
Apps and more
Easy to write, easy to read (even for beginners)
Growing ecosystem of tools that support it (not just Hayabusa)
---------------------------------------------------------------------------------------------------------
🔧 Pro Tip: Combine with Velociraptor
If you're managing multiple endpoints, try plugging Hayabusa into Velociraptor. It’s an open-source digital forensics and incident response (DFIR) framework, and Hayabusa fits in beautifully to give you log-based detection across your fleet.
Check out My Velociraptor series Link below:
---------------------------------------------------------------------------------------------------------
Imagine this: you’ve got 50 GB of event logs, and you’re tasked with figuring out what happened, when it happened, and where it happened. Doing that manually? Forget it. You’ll be buried in logs till next week.
That’s where Hayabusa’s timeline mode steps in.
With a simple command, Hayabusa can:
Parse a folder full of EVTX files (yes, even 50+ GB of them)
Apply Sigma rules to detect threats
Generate a CSV timeline showing you what went down and when
That CSV file becomes your investigative cheat sheet.
---------------------------------------------------------------------------------------------------------
🧪 Real-World Example: Hunting Across Logs with a Timeline
Here's the full command we used on a windows system with a big ol’ folder of logs:
hayabusa csv-timeline -d eventlogs/ -T -o hayabusa-threathunting.csv
-E --timeline-start "2025-07-01 00:00:00 +00:00"
--timeline-end "2025-07-15 00:00:00 +00:00" --no-color
or
.\hayabusa-3.3.0-win-x64.exe csv-timeline --live-analysis -T -o hayabusa-threathunting.csv -E --timeline-start "2025-07-01 00:00:00 +00:00" --timeline-end "2025-07-15 00:00:00 +00:00" --no-colorLet’s break that down:
Pretty neat, right?
---------------------------------------------------------------------------------------------------------
📊 Why CSV Output Is a Game Changer
Hayabusa's CSV output includes super useful fields like:
Timestamps
Event IDs
Threat severity
Rule titles
MITRE ATT&CK IDs (if available)
Computer name (if analyzing multiple systems)
That last part is huge for environments with more than one system. You can correlate threats across endpoints and spot patterns like lateral movement or domain-wide compromise.
---------------------------------------------------------------------------------------------------------
🧰 Organizing the Madness with Timeline Explorer
Now you’ve got this CSV — what next?
Sure, you can open it in Excel or Google Sheets, but if you really want to pivot, filter, and sort like a DFIR wizard, use Timeline Explorer by Eric Zimmerman.
Here’s what you do:
Open the CSV in Timeline Explorer
Drag-n-drop columns like:
Level
Rule Title
Computer
Now you can group alerts by severity, then drill down by rule, then system. Boom. Instant clarity.
---------------------------------------------------------------------------------------------------------
📦 Don’t Stop at CSVs – Integrate & Automate
Hayabusa doesn’t lock you into CSVs. You can also:
Use json-timeline for structured JSON output
Load results into SIEM platforms
Push into Elasticsearch for dashboards
Integrate with Neo4j Desktop for graph-based attack path analysis
You can also change Hayabusa’s output format by using custom profiles:
hayabusa-3.3.0-win-x64.exe list-profiles
This shows you all the output templates. Want to include ATT&CK IDs or remove some columns? Create your own custom YAML profile.
---------------------------------------------------------------------------------------------------------
⚙️ Wait, How Do I Get Logs From All My Machines?
Great question.
Grab logs from remote systems using a quick PowerShell helper script:📥 Copy-RemoteWindowsLogs.ps1
This lets you collect EVTX files across your domain and organize them by hostname, ready for Hayabusa to chew through.
---------------------------------------------------------------------------------------------------------
🧩 Other Hayabusa Tricks You Should Know
Besides csv-timeline, Hayabusa comes packed with other commands:
update-rules – grab the latest Sigma + Hayabusa rules from GitHub
json-timeline – same timeline, just in JSON
search – keyword-based hunting across logs
logon-summary – view logon patterns
metrics – get event frequency stats
---------------------------------------------------------------------------------------------------------
🔐 New in Hayabusa v2.18.0+: Live Response Packages!
Hayabusa now offers special Live Response packages designed for endpoint use. These packages include the binary, an XOR-encoded Sigma rules file, and a single config file — all bundled together.
Why?
To avoid triggering antivirus tools like Windows Defender and to minimize file writes on disk (protecting forensic artifacts like the USN Journal). Just look for the ZIP files with live-response in the name.
---------------------------------------------------------------------------------------------------------
Final Thoughts
If you’re working in threat detection, response, or forensics, you don’t want to sleep on Hayabusa.
It’s fast. It’s flexible. It supports the Sigma rule ecosystem. And most importantly — it makes sense of the chaotic mess that is Windows Event Logs.
So next time you’re looking at a pile of .evtx files wondering where to even start… just remember:
Hayabusa + Sigma = Instant Timeline, Actionable Threats.
Give it a shot — your future self will thank you. 🙌
-------------------------------------------Dean-------------------------------------------------------------
Check Out below article where i have shared few commands to get you started with analysis: