CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' into 689-new-feature-html-summary-output

Browse Source
This commit is contained in:
DastInDark
2022-09-27 14:21:35 +09:00
parent 0d439ed351 7efde05f67
commit 0058334e60
19 changed files with 371 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@@ -170,7 +170,7 @@ You can learn how to import CSV files into Timesketch [here](doc/TimesketchImpor
* Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules.
* Sigma rule support to convert sigma rules to hayabusa rules.
* Currently it supports the most sigma rules compared to other similar tools and even supports count rules and new aggregators such as `|equalsfield`.
* Event log statistics. (Useful for getting a picture of what types of events there are and for tuning your log settings.)
* Event ID metrics. (Useful for getting a picture of what types of events there are and for tuning your log settings.)
* Rule tuning configuration by excluding unneeded or noisy rules.
* MITRE ATT&CK mapping of tactics.
* Rule level tuning.
@@ -361,7 +361,7 @@ You should now be able to run hayabusa.
* `--level-tuning`: Custom tune the alerts' `level`.
* `-L, --logon-summary`: Print a summary of logon events.
* `-P, --pivot-keywords-list`: Print a list of suspicious keywords to pivot on.
* `-s, --statistics`: Print metrics of the count and percentage of events based on Event ID.
* `-M, --metrics`: Print metrics of the number and percentage of events based on Event ID.
* `--set-default-profile`: Change the default profile.
* `-u, --update`: Sync the rules to the latest rules in the [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) GitHub repository.
@@ -410,8 +410,8 @@ OTHER-ACTIONS:
--contributors Print the list of contributors
-L, --logon-summary Print a summary of successful and failed logons
--level-tuning [<FILE>] Tune alert levels (default: ./rules/config/level_tuning.txt)
-M, --metrics Print event ID metrics
-p, --pivot-keywords-list Create a list of pivot keywords
-s, --statistics Print statistics of event IDs
--set-default-profile <PROFILE> Set default output profile
-u, --update-rules Update to the latest rules in the hayabusa-rules github repository
@@ -498,16 +498,16 @@ hayabusa-1.6.0-win-x64.exe -l -m low
hayabusa-1.6.0-win-x64.exe -l -m critical -p -o keywords
```
* Print Event ID statistics:
* Print Event ID metrics:
```bash
hayabusa-1.6.0-win-x64.exe -f Security.evtx -s
hayabusa-1.6.0-win-x64.exe -f Security.evtx -M
```
* Print logon summary:
```bash
hayabusa-1.6.0-win-x64.exe -L -f Security.evtx -s
hayabusa-1.6.0-win-x64.exe -L -f Security.evtx -M
```
* Print verbose information (useful for determining which files take long to process, parsing errors, etc...):