Timeline Output¶
Output Profiles¶
Hayabusa has 5 pre-defined output profiles to use in config/profiles.yaml:
minimalstandard(default)verboseall-field-infoall-field-info-verbosesuper-verbosetimesketch-minimaltimesketch-verbose
You can easily customize or add your own profiles by editing this file.
You can also easily change the default profile with set-default-profile --profile <profile>.
Use the list-profiles command to show the available profiles and their field information.
1. minimal profile output¶
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %RecordID%, %RuleTitle%, %Details%
2. standard profile output¶
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %RecordID%, %RuleTitle%, %Details%, %ExtraFieldInfo%, %RuleID%
3. verbose profile output¶
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %RuleTitle%, %Details%, %ExtraFieldInfo%, %RuleFile%, %RuleID%, %EvtxFile%
4. all-field-info profile output¶
Instead of outputting the minimal details information, all field information in the EventData and UserData sections will be outputted along with their original field names.
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %RecordID%, %RuleTitle%, %AllFieldInfo%, %RuleFile%, %RuleID%, %EvtxFile%
5. all-field-info-verbose profile output¶
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %RuleTitle%, %AllFieldInfo%, %RuleFile%, %RuleID%, %EvtxFile%
6. super-verbose profile output¶
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %RuleTitle%, %RuleAuthor%, %RuleModifiedDate%, %Status%, %RecordID%, %Details%, %ExtraFieldInfo%, %MitreTactics%, %MitreTags%, %OtherTags%, %Provider%, %RuleCreationDate%, %RuleFile%, %RuleID%, %EvtxFile%
7. timesketch-minimal profile output¶
Output to a format compatible with importing into Timesketch.
%Timestamp%, hayabusa, %RuleTitle%, %Computer%, %Channel%, %EventID%, %Level%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %RuleFile%, %RuleID%, %EvtxFile%
8. timesketch-verbose profile output¶
%Timestamp%, hayabusa, %RuleTitle%, %Computer%, %Channel%, %EventID%, %Level%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %ExtraFieldInfo%, %RuleFile%, %RuleID%, %EvtxFile%
Profile Comparison¶
The following benchmarks were conducted on a 2018 Lenovo P51 (Xeon 4 Core CPU / 64GB RAM) with 3GB of evtx data and 3891 rules enabled. (2023/06/01)
| Profile | Processing Time | Output Filesize | Filesize Increase |
|---|---|---|---|
| minimal | 8 minutes 50 seconds | 770 MB | -30% |
| standard (default) | 9 minutes 00 seconds | 1.1 GB | None |
| verbose | 9 minutes 10 seconds | 1.3 GB | +20% |
| all-field-info | 9 minutes 3 seconds | 1.2 GB | +10% |
| all-field-info-verbose | 9 minutes 10 seconds | 1.3 GB | +20% |
| super-verbose | 9 minutes 12 seconds | 1.5 GB | +35% |
Profile Field Aliases¶
The following information can be outputted with built-in output profiles:
| Alias name | Hayabusa output information |
|---|---|
| %AllFieldInfo% | All field information. |
| %Channel% | The name of log. <Event><System><Channel> field. |
| %Computer% | The <Event><System><Computer> field. |
| %Details% | The details field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the fields in event logs. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as n/a (not available). If the details field is not specified (i.e. sigma rules), default details messages to extract fields defined in ./rules/config/default_details.txt will be outputted. You can add more default details messages by adding the Provider Name, EventID and details message you want to output in default_details.txt. When no details field is defined in a rule nor in default_details.txt, all fields will be outputted to the details column. |
| %ExtraFieldInfo% | Print the field information that was not outputted in %Details%. |
| %EventID% | The <Event><System><EventID> field. |
| %EvtxFile% | The evtx filename that caused the alert or event. |
| %Level% | The level field in the YML detection rule. (informational, low, medium, high, critical) |
| %MitreTactics% | MITRE ATT&CK tactics (Ex: Initial Access, Lateral Movement, etc...). |
| %MitreTags% | MITRE ATT&CK Group ID, Technique ID and Software ID. |
| %OtherTags% | Any keyword in the tags field in a YML detection rule which is not included in MitreTactics or MitreTags. |
| %Provider% | The Name attribute in <Event><System><Provider> field. |
| %RecordID% | The Event Record ID from <Event><System><EventRecordID> field. |
| %RuleAuthor% | The author field in the YML detection rule. |
| %RuleCreationDate% | The date field in the YML detection rule. |
| %RuleFile% | The filename of the detection rule that generated the alert or event. |
| %RuleID% | The id field in the YML detection rule. |
| %RuleModifiedDate% | The modified field in the YML detection rule. |
| %RuleTitle% | The title field in the YML detection rule. |
| %Status% | The status field in the YML detection rule. |
| %Timestamp% | Default is YYYY-MM-DD HH:mm:ss.sss +hh:mm format. <Event><System><TimeCreated SystemTime> field in the event log. The default timezone will be the local timezone but you can change the timezone to UTC with the --UTC option. |
Extra Profile Field Alias¶
You can also add this extra aliases to your output profile if you need it:
| Alias name | Hayabusa output information |
|---|---|
| %RenderedMessage% | The <Event><RenderingInfo><Message> field in WEC forwarded logs. |
Note: this is not included in any built in profiles so you will need to manually edit the config/default_profile.yaml file and add the following line:
You can also define event key aliases to output other fields.