Skip to content

Hayabusa Rules

Hayabusa detection rules are written in a sigma-like YML format and are located in the rules folder. The rules are hosted at https://github.com/Yamato-Security/hayabusa-rules so please send any issues and pull requests for rules there instead of the main Hayabusa repository.

See Creating Rule Files, Detection Fields and Sigma Correlations in this section to understand the rule format and how to create rules. (Source: the hayabusa-rules repository.)

All of the rules from the hayabusa-rules repository should be placed in the rules folder. informational level rules are considered events, while anything with a level of low and higher are considered alerts.

The hayabusa rule directory structure is separated into 2 directories:

  • builtin: logs that can be generated by Windows built-in functionality.
  • sysmon: logs that are generated by sysmon.

Rules are further seperated into directories by log type (Example: Security, System, etc...) and are named in the following format:

Please check out the current rules to use as a template in creating new ones or for checking the detection logic.

Sigma v.s. Hayabusa (Built-in Sigma Compatible) Rules

Hayabusa supports Sigma rules natively with a single exception of handling the logsource fields internally. In order to reduce false positives, , Sigma rules should be run through our convertor explained here. This will add the proper Channel and EventID, and perform field mapping for certain categories like process_creation.

Almost all Hayabusa rules are compatible with the Sigma format so you can use them just like Sigma rules to convert to other SIEM formats. Hayabusa rules are designed solely for Windows event log analysis and have the following benefits:

  1. An extra details field to display additional information taken from only the useful fields in the log.
  2. They are all tested against sample logs and are known to work.
  3. Extra aggregators not found in sigma, such as |equalsfield and |endswithfield.

To our knowledge, hayabusa provides the greatest native support for sigma rules out of any open source Windows event log analysis tool.