Home

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by Yamato Security. Written in memory-safe Rust, multi-threaded for speed, and the only open-source tool with full support for the Sigma specification — including v2 correlation rules.

Get Started Command Reference View on GitHub

Why Hayabusa?¶

Blazing fast

Written in memory-safe Rust with full multi-threading to parse mountains of .evtx files and produce a single timeline as quickly as possible.
Full Sigma support

The only open-source tool with complete support for the Sigma spec, including v2 correlation rules, backed by 4,000+ curated detection rules.
DFIR timelines

Consolidates events from one host or thousands into a single CSV / JSON / JSONL forensics timeline ready for analysis.
Enterprise-wide hunting

Run live on a single system, collect logs for offline analysis, or hunt across the enterprise with the Velociraptor Hayabusa artifact.
Rich analysis output

Metrics, logon summaries, keyword pivoting, HTML reports, and a detection frequency timeline to surface what matters fast.
Plays well with others

Import results straight into Elastic Stack, Timesketch, Timeline Explorer, or slice JSON with jq.

See it in action¶

Browse the Screenshots gallery for terminal output, the HTML results summary, and analysis in LibreOffice, Timeline Explorer and Timesketch.

Quick links¶

New here?

Start with the Overview, then head to Getting Started to download and run Hayabusa.
Working with the CLI?

Jump to the Command List and the per-command reference for Analysis, Config and DFIR Timeline commands.
Tuning output?

See Output Profiles, Abbreviations and Display & Summary options.
Going further?

Explore the Rules, the project ecosystem and how to contribute.