Hayabusa.exe: Essential Commands for In-depth Log Analysis

https://www.cyberengage.org/post/hayabusa-a-powerful-log-analysis-tool-for-forensics-and-threat-hunting

Hayabusa Command Arsenal for Deep Analysis:

🖥️ 1. computer-metrics – Which Machines Logged the Most?

Before you even start analyzing logs, you might want to know: Which system created the most log entries? That’s where computer-metrics comes in.

s.

🔧 Example Commands:

# On a live system
hayabusa.exe computer-metrics --live-analysis

# On a directory of logs
hayabusa.exe computer-metrics -d logs/

# On a single EVTX file
hayabusa.exe computer-metrics -f system.evtx

📊 2. eid-metrics – Know Your Event ID Distribution

Want a quick summary of what types of events (Event IDs) dominate your log files? That’s where eid-metrics helps.

It prints out the total count and percentage of each Event ID across logs, separated by channel.

🔧 Example Commands:

# On a live system
hayabusa.exe eid-metrics --live-analysis

# On a directory of logs
hayabusa.exe eid-metrics -d logs/

# On a single file
hayabusa.exe eid-metrics -f system.evtx

📁 3. log-metrics – Get the Big Picture

Think of this as your log metadata report. It gives you:

• Log file names

• Computer names

• Number of events

• First & last timestamps

• Channels & Providers

🔧 Example:

hayabusa.exe log-metrics --live-analysis
hayabusa.exe log-metrics -d logs/

🔐 4. logon-summary – Who Logged In (and Failed)?

This one’s a favorite in IR cases. It summarizes user logons, showing:

• Usernames

• Success counts

• Failure counts

🔧 Examples:

# On live system
hayabusa.exe logon-summary --live-analysis

# On a directory of EVTX files
hayabusa.exe logon-summary -d logs/

🎯 5. pivot-keywords-list – Find What’s Weird

This one’s pure gold for threat hunting.

It generates a list of keywords (like usernames, hostnames, process names, etc.) seen in logs — so you can find outliers or suspicious entities.

🔧 Examples:

# View pivot keywords from critical events
hayabusa.exe pivot-keywords-list -d logs/ -m critical

# Save results to files
hayabusa.exe pivot-keywords-list -d logs/ -m critical -o keywords
 
or 

hayabusa-3.3.0-win-x64.exe pivot-keywords-list --live-analysis -m critical -o keywords --no-wizard

🛠 Use case: Take that keyword list and use it with grep to build a custom timeline:

grep -f keywords.txt timeline.csv

Customize the search fields by editing the config file:

./rules/config/pivot_keywords.txt

🔎 6. search – Deep-Dive with Keywords or Regex

Hayabusa’s search command isn’t limited to detection results — it lets you search across all events, even those not flagged by rules.

🔧 Examples:

# Search for 'mimikatz' in all logs
hayabusa.exe search -d logs/ -k "mimikatz"

# Search for multiple keywords
hayabusa.exe search -d logs/ -k "mimikatz" -k "kali"

# Case-insensitive search
hayabusa.exe search -d logs/ -k "mimikatz" -i

# Search using regex (e.g., IP addresses)
hayabusa.exe search -d logs/ -r "(?:[0-9]{1,3}\.){3}[0-9]{1,3}"

# Field-specific search (e.g., WorkstationName)
hayabusa.exe search -d logs/ -r ".*" -F WorkstationName:"kali"

🧠 Wrap-Up: Power at Your Fingertips

With these commands, Hayabusa becomes more than just a Sigma rule engine — it turns into a full-blown, flexible DFIR toolkit.

Here’s a quick recap:

----------------------------------------------------------------------------------------------------------

-----------------------------------------------------Dean---------------------------------------------