CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update readme

Browse Source
This commit is contained in:
Yamato Security
2022-10-02 03:38:34 +09:00
parent d91fd31392
commit d394322628
7 changed files with 23 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
README-Japanese.md
View File

@@ -36,12 +36,12 @@ Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/)
- [ターミナル出力画面](#ターミナル出力画面)
- [イベント頻度タイムライン出力画面 (`-V`オプション)](#イベント頻度タイムライン出力画面--vオプション)
- [結果サマリ画面](#結果サマリ画面)
- [HTMLの結果サマリ (`-H`オプション)](#htmlの結果サマリ--hオプション)
- [Excelでの解析](#excelでの解析)
- [Timeline Explorerでの解析](#timeline-explorerでの解析)
- [Criticalアラートのフィルタリングとコンピュータごとのグルーピング](#criticalアラートのフィルタリングとコンピュータごとのグルーピング)
- [Elastic Stackダッシュボードでの解析](#elastic-stackダッシュボードでの解析)
- [Timesketchでの解析](#timesketchでの解析)
- [HTMLの結果サマリ](#htmlの結果サマリ)
- [タイムラインのサンプル結果](#タイムラインのサンプル結果)
- [特徴&機能](#特徴機能)
- [ダウンロード](#ダウンロード)
@@ -137,6 +137,14 @@ Hayabusaは従来のWindowsイベントログ分析解析と比較して、分
![Hayabusa 結果サマリ画面](screenshots/HayabusaResultsSummary.png)
## HTMLの結果サマリ (`-H`オプション)
<img alt="HTML Results Summary" src="screenshots/HTML-ResultsSummary-1.png" width="90%">
<img alt="HTML Results Summary" src="screenshots/HTML-ResultsSummary-2.png" width="90%">
<img alt="HTML Results Summary" src="screenshots/HTML-ResultsSummary-3.png" width="90%">
## Excelでの解析
![Hayabusa Excelでの解析](screenshots/ExcelScreenshot.png)
@@ -160,10 +168,6 @@ Hayabusaは従来のWindowsイベントログ分析解析と比較して、分
![Timesketch](screenshots/TimesketchAnalysis.png)
## HTMLの結果サマリ
![HTMLResultsSummary](screenshots/HTML-ResultsSummary.png)
# タイムラインのサンプル結果
CSVのタイムライン結果のサンプルは[こちら](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results)で確認できます。
@@ -298,7 +302,7 @@ cargo build --release --target=x86_64-unknown-linux-musl
```
MUSLバイナリは`./target/x86_64-unknown-linux-musl/release/`ディレクトリ配下に作成されます。
MUSLバイナリはGNUバイナリより約15遅いです。
MUSLバイナリはGNUバイナリより約15遅いですが、より多くのLinuxバージョンとディストロで実行できます
## Linuxでのコンパイルの注意点
@@ -847,7 +851,7 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され
1. [Rust正規表現クレート](https://docs.rs/regex/1.5.4/regex/)では機能しない正規表現を使用するルール。
2. [Sigmaルール仕様](https://github.com/SigmaHQ/Sigma/wiki/Specification)の`count`以外の集計式。
3. `|near`を使用するルール。
3. `|near`または`|base64offset|contains`を使用するルール。
## 検知ルールのチューニング

18
README.md
View File

@@ -35,12 +35,12 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre
- [Terminal Output](#terminal-output)
- [Event Fequency Timeline (`-V` option)](#event-fequency-timeline--v-option)
- [Results Summary](#results-summary)
- [HTML Results Summary (`-H` option)](#html-results-summary--h-option)
- [Analysis in Excel](#analysis-in-excel)
- [Analysis in Timeline Explorer](#analysis-in-timeline-explorer)
- [Critical Alert Filtering and Computer Grouping in Timeline Explorer](#critical-alert-filtering-and-computer-grouping-in-timeline-explorer)
- [Analysis with the Elastic Stack Dashboard](#analysis-with-the-elastic-stack-dashboard)
- [Analysis in Timesketch](#analysis-in-timesketch)
- [HTML Results Summary](#html-results-summary)
- [Analyzing Sample Timeline Results](#analyzing-sample-timeline-results)
- [Features](#features)
- [Downloads](#downloads)
@@ -130,6 +130,14 @@ Hayabusa hopes to let analysts get 80% of their work done in 20% of the time whe
![Hayabusa results summary](screenshots/HayabusaResultsSummary.png)
## HTML Results Summary (`-H` option)
<img alt="HTML Results Summary" src="screenshots/HTML-ResultsSummary-1.png" width="90%">
<img alt="HTML Results Summary" src="screenshots/HTML-ResultsSummary-2.png" width="90%">
<img alt="HTML Results Summary" src="screenshots/HTML-ResultsSummary-3.png" width="90%">
## Analysis in Excel
![Hayabusa analysis in Excel](screenshots/ExcelScreenshot.png)
@@ -152,10 +160,6 @@ Hayabusa hopes to let analysts get 80% of their work done in 20% of the time whe
![Timesketch](screenshots/TimesketchAnalysis.png)
## HTML Results Summary
![HTMLResultsSummary](screenshots/HTML-ResultsSummary.png)
# Analyzing Sample Timeline Results
You can check out a sample CSV timeline [here](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results).
@@ -293,7 +297,7 @@ cargo build --release --target=x86_64-unknown-linux-musl
```
The MUSL binary will be created in the `./target/x86_64-unknown-linux-musl/release/` directory.
MUSL binaries are are about 15% slower than the GNU binaries.
MUSL binaries are are about 15% slower than the GNU binaries, however, they are more portable accross different versions and distributions of linux.
# Running Hayabusa
@@ -837,7 +841,7 @@ Hayabusa rules are designed solely for Windows event log analysis and have the f
1. Rules that use regular expressions that do not work with the [Rust regex crate](https://docs.rs/regex/1.5.4/regex/)
2. Aggregation expressions besides `count` in the [sigma rule specification](https://github.com/SigmaHQ/sigma/wiki/Specification).
3. Rules that use `|near`.
3. Rules that use `|near` or `|base64offset|contains`.
## Detection Rule Tuning

2
rules

Submodule rules updated: 428abf7caa...28c1de3279

BIN
screenshots/HTML-ResultsSummary-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 698 KiB

BIN
screenshots/HTML-ResultsSummary-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 189 KiB

BIN
screenshots/HTML-ResultsSummary-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 292 KiB

BIN
screenshots/HTML-ResultsSummary.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 481 KiB