# About Hayabusa
Hayabusa ("falcon" in Japanese) is a **Windows event log fast forensics timeline generator** and **threat hunting tool** created by the [Yamato Security](https://yamatosecurity.connpass.com/) group in Japan. It is written in [Rust](https://www.rust-lang.org/) and supports multi-threading in order to be as fast as possible. It supports converted [sigma](https://github.com/SigmaHQ/sigma) and hayabusa detection rules written in YAML in order to be as easily customizable and extensible as possible. It can be run either on a live system or by gathering logs from multiple systems. The output will be consolidated into a single CSV timeline for easy analysis in Excel or [timeline explorer](https://ericzimmerman.github.io/#!index.md).
## Fast forensics timeline generation
Windows event log analysis has traditionally been a very long and tedious process because Windows event logs are 1) in a data format that is hard to analyze and 2) the majority of data is noise and not useful for investigations. Hayabusa's main goal is to extract out only useful data and present it in an easy-to-read format that is usable not only by professionally trained analysts but any Windows system administrator.
Hayabusa is not intended to be a replacement for tools like [Evtx Explorer](https://ericzimmerman.github.io/#!index.md) or [Event Log Explorer](https://eventlogxp.com/) for slower deep-dive analysis but is intended for letting analysts get 80% of their work done in 20% of the time.
## Threat hunting
Hayabusa currently has over 1000 detection rules and the ultimate goal is to be able to push out hayabusa agents to all Windows endpoints after an incident or for periodic threat hunting and have them alert back to a central server.
# About the development
First inspired by the [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) Windows event log analyzer, we started in 2020 porting it over to Rust for the [RustyBlue](https://github.com/Yamato-Security/RustyBlue) project, then created sigma-like flexible detection signatures written in YAML, and then added a backend to sigma to support converting sigma rules into our hayabusa rule format.
# Screenshots
Startup:
Terminal output:
Results summary:
# Features
* Cross-platform support: Windows, Linux, macOS
* Developed in Rust to be memory safe and faster than a hayabusa falcon!
* Multi-thread support
* Creates a single easy-to-analyze CSV timeline for forensic investigations and incident response
* Threat hunting based on IoC signatures written in easy to read/create/edit YAML based hayabusa rules
* Sigma rule support to convert sigma rules to hayabusa rules
* Currently it supports the most sigma rules compared to other similar tools and even supports count rules
* Event log statistics (Useful for getting a picture of what types of events there are and for tuning your log settings)
* Rule tuning configuration by excluding bad rules or noisy rules
# Planned Features
* Enterprise-wide hunting on all endpoints
* Japanese language support
* MITRE ATT&CK mapping
* MITRE ATT&CK heatmap generation
* User logon and failed logon summary
* Input from JSON logs
* Output to JSON -> import to Elastic Stack/Splunk
# Downloads
You can download pre-compiled binaries for the Windows, Linux and macOS at [Releases.](https://github.com/Yamato-Security/hayabusa/releases)
# Compiling from source
If you have rust installed, you can compile from source with the following command.
````
cargo build --release
````
# Usage
## Command line options
````
USAGE:
-f --filepath=[FILEPATH] 'File path to one .evtx file'
--csv-timeline=[CSV_TIMELINE] 'Save the timeline in CSV format'
--rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
--rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
--verbose 'Output verbose information to target event file path and rule file'
-q 'Quiet mode. Do not display the launch banner'
-r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
-m --min-level=[LEVEL] 'Minimum level for rules (default: informational)' (Possiblities are: informational, low, medium, high, critical)
-u --utc 'Output time in UTC format (default: local time)'
-d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
-s --statistics 'Prints statistics of event IDs'
-n --show-noisyalerts 'do not exclude noisy rules'
-t --threadnum=[NUM] 'Thread number (default: optimal number for performance)' (Usually there is no performance benefit in increasing the number of threads but you may want to lower to a smaller number to reduce CPU load.)
--contributors 'Prints the list of contributors'
````
## Usage examples
* Run hayabusa against one Windows event log file:
````
hayabusa.exe -f eventlog.evtx
````
* Run hayabusa against the sample-evtx directory with multiple Windows event log files:
````
hayabusa.exe -d .\sample-evtx
````
* Export to a single CSV file for further analysis with excel or timeline explorer:
````
hayabusa.exe -d .\sample-evtx --csv-timeline results.csv
````
* Only run hayabusa rules:
````
hayabusa.exe -d .\sample-evtx --csv-timeline results.csv -r ./rules/hayabusa
````
* Only run sigma rules and show noisy alerts (disabled by default):
````
hayabusa.exe -d .\sample-evtx --csv-timeline results.csv -r ./rules/sigma --show-noisyalerts
````
* Only run rules to analyze logons and output in the UTC timezone:
````
hayabusa.exe -d .\sample-evtx --csv-timeline results.csv -r ./rules/hayabusa/default/events/Security/Logons -u
````
* Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior):
````
hayabusa.exe -d C:\Windows\System32\winevt\Logs -m low
````
* Get event ID statistics:
````
hayabusa.exe -d C:\Windows\System32\winevt\Logs -s
````
## Testing hayabusa out on sample evtx files
We have provided some sample evtx files for you to test hayabusa and/or create new rules at [https://github.com/Yamato-Security/hayabusa-sample-evtx](https://github.com/Yamato-Security/hayabusa-sample-evtx)
# Hayabusa rules
Hayabusa detection rules are written in a sigma-like YAML format and are located at [https://github.com/Yamato-Security/hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules).
Please read [AboutRuleCreation-English.md](./doc/AboutRuleCreation-English.md) to understand about the rule format how to create rules.
All of the rules are in the `rules` folder.
`informational` level rules are considered `events`, while anything rated `low` and higher are considered `alerts`.
The hayabusa rule directory structure is separated into 3 directories:
* `default`: logs that are turned on by default
* `non-default`: logs that need to be turned on through group policy
* `sysmon`: logs that are generated by [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).
* `testing`: a temporary directory to put rules that you are currently testing
Rules are further seperated into directories by log type (Example: Security, System, etc...) and are named in the following format:
* Alert format: `