digital forensics

Generating Forensic Timelines with Hayabusa

Produce Sigma-based EVTX timelines and summaries with Hayabusa.

dfirevtxforensicshayabusasigmathreat-huntingtimelinewindows-event-logs
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Hayabusa (隼, Japanese for "peregrine falcon") is a Sigma-based threat-hunting and fast-forensics timeline generator for Windows event logs, developed by Yamato Security in Rust. It parses .evtx files (offline or via live analysis of a local host), applies a large built-in library of Sigma detection rules plus Hayabusa-specific rules, and produces a single, readable, chronological timeline of high-signal events with severity levels, MITRE ATT&CK tactics, and rule references. This collapses thousands of raw event-log records into a prioritized incident timeline that an analyst can review quickly.

Hayabusa is purpose-built for DFIR triage. Instead of loading EVTX into a SIEM, an investigator runs a single binary against a directory of collected logs and gets a CSV or JSON timeline plus metrics (events per computer, per Event ID, per channel). Because detections are Sigma-based, coverage tracks the open detection-engineering community, and rules can be updated on demand with update-rules. The tool's output integrates with downstream analysis: CSV opens in Timeline Explorer, JSONL feeds into jq, and timesketch-* profiles export directly into Timesketch.

A frequent finding in Hayabusa timelines is malicious PowerShell — MITRE ATT&CK T1059.001 (Command and Scripting Interpreter: PowerShell) — surfaced via Sigma rules over Event ID 4104 (script-block logging), 4103, and Sysmon process creation. This skill maps to NIST CSF RS.AN-03 (analysis is performed to establish what has taken place during an incident).

When to Use

  • During incident-response triage, to turn a pile of collected .evtx files into a prioritized timeline.
  • When you need fast, SIEM-free detection over Windows event logs with community Sigma coverage.
  • To enumerate suspicious activity (PowerShell, account changes, lateral movement) across many hosts' logs.
  • To produce metrics (events per computer/Event ID/channel) and pivot keywords for deeper hunting.
  • To export an incident timeline into Timesketch or Timeline Explorer for collaborative analysis.

Prerequisites

  • Hayabusa binary. Download a pre-compiled release (Windows/Linux/macOS) from GitHub:
    # Linux example
    curl -LO https://github.com/Yamato-Security/hayabusa/releases/latest/download/hayabusa-3.0.0-lin-x64-gnu.zip
    unzip hayabusa-*.zip && cd hayabusa-*
    ./hayabusa-3.0.0-lin-x64-gnu --version
    Or build from source (rules are a submodule):
    git clone https://github.com/Yamato-Security/hayabusa.git --recursive
    cd hayabusa && cargo build --release
  • Collected Windows .evtx files (or run with --live-analysis on the host, as Administrator).
  • Updated detection rules:
    ./hayabusa update-rules
  • Optional: Timeline Explorer (Windows) or Timesketch for visualizing output; jq for JSONL.

Objectives

  • Build a CSV or JSON forensic timeline from a directory of .evtx files.
  • Update and tune the Sigma rule set used for detection.
  • Select an output profile appropriate to the investigation (minimal vs. verbose vs. timesketch).
  • Generate metrics (computer, Event ID, log) and pivot keywords for hunting leads.
  • Filter the timeline by minimum severity to focus triage.
  • Search logs for specific IOCs by keyword or regex.

MITRE ATT&CK Mapping

Technique ID Official Name Why Hayabusa Detects It
T1059.001 Command and Scripting Interpreter: PowerShell Sigma rules over Event IDs 4104/4103 and Sysmon flag malicious PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell Rules over process-creation events surface suspicious cmd usage
T1078 Valid Accounts Logon events (4624/4625/4672) reveal anomalous authentication
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Rules over registry-modification events flag persistence
T1053.005 Scheduled Task/Job: Scheduled Task Event ID 4698/106 rules surface task creation
T1003 OS Credential Dumping Rules flag LSASS access and credential-dumping patterns

Workflow

1. Update the rule set

Pull the latest Sigma and Hayabusa rules before every investigation.

./hayabusa update-rules

2. Build a CSV timeline from collected logs

Point Hayabusa at a directory of .evtx files and write a CSV timeline. -w skips the interactive wizard for scripted runs.

./hayabusa csv-timeline -d ./collected_evtx -o timeline.csv -w
# UTC timestamps for cross-host correlation
./hayabusa csv-timeline -d ./collected_evtx -o timeline_utc.csv -U -w

3. Choose an output profile

Profiles control detail. Use verbose to include MITRE ATT&CK tactics, tags, and the source rule/EVTX file; all-field-info to retain every original field.

# Verbose: adds MITRE tactics, tags, rule file, evtx file
./hayabusa csv-timeline -d ./collected_evtx -o timeline_verbose.csv -p verbose -w
# Preserve all original event fields
./hayabusa csv-timeline -d ./collected_evtx -o timeline_full.csv -p all-field-info -w

Available profiles: minimal, standard (default), verbose, all-field-info, all-field-info-verbose, super-verbose, timesketch-minimal, timesketch-verbose.

4. Filter by minimum severity

Focus triage on the highest-confidence detections with -m/--min-level.

./hayabusa csv-timeline -d ./collected_evtx -o critical.csv -m high -w

Levels: informational, low, medium, high, critical.

5. Produce a JSON/JSONL timeline for tooling

JSONL feeds cleanly into jq and downstream pipelines.

./hayabusa json-timeline -d ./collected_evtx -L -o timeline.jsonl -w
# Example: top rule titles
jq -r '.RuleTitle' timeline.jsonl | sort | uniq -c | sort -rn | head

6. Generate metrics and pivot keywords

Summaries reveal which hosts and Event IDs dominate, and pivot keywords give hunting leads.

./hayabusa computer-metrics -d ./collected_evtx -o computers.csv
./hayabusa eid-metrics -d ./collected_evtx -o eid.csv
./hayabusa log-metrics -d ./collected_evtx -o logs.csv
./hayabusa pivot-keywords-list -d ./collected_evtx -m medium -o pivots

7. Search logs for specific IOCs

Use the search command for keyword or regex hunting independent of detection rules.

# Keyword search (case-insensitive) for a suspicious binary
./hayabusa search -d ./collected_evtx -k "powershell" -i
# Regex search for base64-looking PowerShell encoded commands
./hayabusa search -d ./collected_evtx -r "-[Ee]nc(odedCommand)?\s+[A-Za-z0-9+/=]{20,}"

8. Live triage on a running host

On the affected machine (Administrator), analyze local logs without exporting first.

./hayabusa csv-timeline -l -o live_timeline.csv -m high -w

Tools and Resources

Tool Purpose Source
Hayabusa Sigma-based EVTX timeline/threat hunting https://github.com/Yamato-Security/hayabusa
hayabusa-rules Sigma + Hayabusa detection rules https://github.com/Yamato-Security/hayabusa-rules
Takajō Hayabusa results analyzer https://github.com/Yamato-Security/takajo
Timeline Explorer Review CSV timelines https://ericzimmerman.github.io/
Timesketch Collaborative timeline analysis https://timesketch.org/
Sigma Generic detection rule format https://github.com/SigmaHQ/sigma

Validation Criteria

  • Hayabusa binary installed and --version confirmed.
  • Rules updated with update-rules before analysis.
  • CSV timeline generated from the collected .evtx directory.
  • Appropriate output profile selected for the investigation goal.
  • Timeline filtered by minimum severity for triage focus.
  • JSON/JSONL timeline produced for downstream tooling where needed.
  • Computer/EID/log metrics generated.
  • Pivot keywords list produced for hunting leads.
  • Targeted IOC searches run with keyword/regex.
  • Findings (e.g., PowerShell T1059.001 detections) documented in the incident timeline.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 2

api-reference.md2.1 KB

Hayabusa — Command & Flag Reference

Subcommands

Command Purpose
csv-timeline Build a CSV forensic timeline
json-timeline Build a JSON/JSONL timeline
update-rules Sync the latest Sigma/Hayabusa rules
search Keyword/regex search across event logs
level-tuning Customize alert severity per rule
computer-metrics Event counts per computer
eid-metrics Event counts/percentages per Event ID
log-metrics File metadata (timestamps, channels, providers)
pivot-keywords-list Extract suspicious keywords for correlation

Common Timeline Flags

Flag Description
-d, --directory <DIR> Directory of .evtx files
-f, --file <FILE> Single .evtx file
-l, --live-analysis Analyze local Windows event logs (admin)
-o, --output <FILE> Output path
-p, --profile <PROFILE> Output profile (see below)
-m, --min-level <LEVEL> Minimum alert level
-w, --no-wizard Skip interactive wizard (scripting)
-U, --UTC Output timestamps in UTC
-L (json-timeline) JSONL (one object per line)

Output Profiles

minimal, standard (default), verbose, all-field-info, all-field-info-verbose, super-verbose, timesketch-minimal, timesketch-verbose

Alert Levels

informational, low, medium, high, critical

search Flags

Flag Description
-k, --keyword <KW> Keyword to match
-r, --regex <RE> Regex to match
-i, --ignore-case Case-insensitive
-d, --directory <DIR> Logs directory

Examples

hayabusa update-rules
hayabusa csv-timeline -d ./evtx -o tl.csv -p verbose -m high -U -w
hayabusa json-timeline -d ./evtx -L -o tl.jsonl -w
hayabusa search -d ./evtx -k "mimikatz" -i
hayabusa eid-metrics -d ./evtx -o eid.csv
hayabusa pivot-keywords-list -d ./evtx -m medium -o pivots

External References

standards.md1.9 KB

Standards and References — Generating Forensic Timelines with Hayabusa

MITRE ATT&CK References

Technique ID Name Tactic Rationale
T1059.001 Command and Scripting Interpreter: PowerShell Execution Sigma rules over EID 4104/4103/Sysmon flag malicious PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution Process-creation rules surface suspicious cmd usage
T1078 Valid Accounts Defense Evasion / Persistence Logon events (4624/4625/4672) reveal anomalous auth
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Persistence Registry-modification rules flag persistence
T1053.005 Scheduled Task/Job: Scheduled Task Execution / Persistence EID 4698/106 rules surface task creation
T1003 OS Credential Dumping Credential Access Rules flag LSASS access patterns

NIST Cybersecurity Framework 2.0

ID Name Rationale
RS.AN-03 Analysis is performed to establish what has taken place during an incident and the root cause Hayabusa timelines reconstruct the sequence of events during IR analysis

Detection Standards

Official Resources

Key Research

  • Yamato Security: Hayabusa documentation and AnalysisWithJQ guide
  • Timesketch integration via timesketch-minimal / timesketch-verbose profiles

Scripts 1

agent.py4.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Hayabusa timeline helper.

Drives the Hayabusa binary to update rules and generate a CSV (and optionally
JSONL) forensic timeline from a directory of .evtx files, then summarizes the
detections by severity and top rule titles for fast triage.
"""

import argparse
import csv
import json
import os
import shutil
import subprocess
import sys
from collections import Counter
from datetime import datetime, timezone


def find_binary(explicit):
    """Locate the hayabusa binary."""
    if explicit:
        if os.path.isfile(explicit):
            return explicit
        sys.exit(f"[!] Binary not found: {explicit}")
    for name in ("hayabusa", "hayabusa.exe"):
        path = shutil.which(name)
        if path:
            return path
    sys.exit("[!] hayabusa not found on PATH; pass --bin /path/to/hayabusa")


def run(cmd):
    """Run a subprocess and stream a short status line."""
    print(f"[*] {' '.join(cmd)}")
    proc = subprocess.run(cmd, capture_output=True, text=True)
    if proc.returncode != 0:
        print(proc.stderr[-1000:], file=sys.stderr)
    return proc


def update_rules(binary):
    run([binary, "update-rules"])


def csv_timeline(binary, src, out, profile, min_level, live):
    cmd = [binary, "csv-timeline", "-o", out, "-p", profile,
           "-m", min_level, "-w", "-U"]
    cmd += ["-l"] if live else ["-d", src]
    proc = run(cmd)
    if not os.path.isfile(out):
        sys.exit(f"[!] Timeline not produced. {proc.stderr[-500:]}")
    return out


def json_timeline(binary, src, out, profile, min_level, live):
    cmd = [binary, "json-timeline", "-L", "-o", out, "-p", profile,
           "-m", min_level, "-w"]
    cmd += ["-l"] if live else ["-d", src]
    run(cmd)
    return out


def summarize_csv(path):
    """Summarize a Hayabusa CSV timeline by level and rule title."""
    levels, titles = Counter(), Counter()
    total = 0
    with open(path, newline="", encoding="utf-8", errors="replace") as f:
        reader = csv.DictReader(f)
        # Hayabusa columns include "Level" and "RuleTitle"
        lvl_key = next((k for k in (reader.fieldnames or []) if k.lower() == "level"), None)
        title_key = next((k for k in (reader.fieldnames or [])
                          if k.lower().replace(" ", "") == "ruletitle"), None)
        for row in reader:
            total += 1
            if lvl_key:
                levels[row.get(lvl_key, "")] += 1
            if title_key:
                titles[row.get(title_key, "")] += 1
    return {"total_detections": total,
            "by_level": dict(levels),
            "top_rules": titles.most_common(15)}


def main():
    p = argparse.ArgumentParser(description="Hayabusa timeline helper")
    p.add_argument("-d", "--directory", help="Directory of .evtx files")
    p.add_argument("--live", action="store_true", help="Live-analyze local logs")
    p.add_argument("--bin", help="Path to hayabusa binary")
    p.add_argument("-o", "--output", default="timeline.csv", help="CSV output path")
    p.add_argument("--jsonl", help="Also write a JSONL timeline to this path")
    p.add_argument("-p", "--profile", default="verbose",
                   help="Output profile (minimal/standard/verbose/...)")
    p.add_argument("-m", "--min-level", default="medium",
                   choices=["informational", "low", "medium", "high", "critical"])
    p.add_argument("--no-update", action="store_true", help="Skip update-rules")
    p.add_argument("--report", help="Write JSON summary to this path")
    args = p.parse_args()

    if not args.live and not args.directory:
        p.error("provide -d/--directory or --live")

    binary = find_binary(args.bin)
    if not args.no_update:
        update_rules(binary)

    csv_path = csv_timeline(binary, args.directory, args.output,
                            args.profile, args.min_level, args.live)
    if args.jsonl:
        json_timeline(binary, args.directory, args.jsonl,
                      args.profile, args.min_level, args.live)

    summary = summarize_csv(csv_path)
    summary["generated"] = datetime.now(timezone.utc).isoformat()
    summary["timeline"] = csv_path

    print(f"\n[+] {summary['total_detections']} detections")
    print(f"[+] By level: {summary['by_level']}")
    print("[+] Top rules:")
    for title, count in summary["top_rules"]:
        print(f"    {count:5d}  {title}")

    if args.report:
        with open(args.report, "w") as f:
            json.dump(summary, f, indent=2)
        print(f"[+] Summary written to {args.report}")


if __name__ == "__main__":
    main()
Keep exploring