About Hayabusa

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in memory-safe Rust, supports multi-threading in order to be as fast as possible and is the only open-source tool that has full support for the Sigma specification including v2 correlation rules. Hayabusa can handle parsing upstream Sigma rules, however, the Sigma rules that we use and host in the hayabusa-rules repository have some conversion done to them in order to make rule loading more flexible and reduce false positives. You can read the details about this at the sigma-to-hayabusa-converter repository README file. Hayabusa can be run either on single running systems for live analysis, by gathering logs from single or multiple systems for offline analysis, or by running the Hayabusa artifact with Velociraptor for enterprise-wide threat hunting and incident response. The output will be consolidated into a single CSV/JSON/JSONL timeline for easy analysis in LibreOffice, Timeline Explorer Elastic Stack, Timesketch, etc...