Home
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by Yamato Security. Written in memory-safe Rust, multi-threaded for speed, and the only open-source tool with full support for the Sigma specification — including v2 correlation rules.
Why Hayabusa?¶
-
Blazing fast
Written in memory-safe Rust with full multi-threading to parse mountains of
.evtxfiles and produce a single timeline as quickly as possible. -
Full Sigma support
The only open-source tool with complete support for the Sigma spec, including v2 correlation rules, backed by 4,000+ curated detection rules.
-
DFIR timelines
Consolidates events from one host or thousands into a single CSV / JSON / JSONL forensics timeline ready for analysis.
-
Enterprise-wide hunting
Run live on a single system, collect logs for offline analysis, or hunt across the enterprise with the Velociraptor Hayabusa artifact.
-
Rich analysis output
Metrics, logon summaries, keyword pivoting, HTML reports, and a detection frequency timeline to surface what matters fast.
-
Plays well with others
Import results straight into Elastic Stack, Timesketch, Timeline Explorer, or slice JSON with jq.
See it in action¶
Browse the Screenshots gallery for terminal output, the HTML results summary, and analysis in LibreOffice, Timeline Explorer and Timesketch.
Quick links¶
-
New here?
Start with the Overview, then head to Getting Started to download and run Hayabusa.
-
Working with the CLI?
Jump to the Command List and the per-command reference for Analysis, Config and DFIR Timeline commands.
-
Tuning output?
See Output Profiles, Abbreviations and Display & Summary options.
-
Going further?
Explore the Rules, the project ecosystem and how to contribute.

