MCPcopy Index your code
hub / github.com/Yamato-Security/hayabusa

github.com/Yamato-Security/hayabusa @v3.10.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v3.10.0 ↗ · + Follow
1,024 symbols 3,021 edges 44 files 381 documented · 37%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README
<img alt="Hayabusa Logo" src="https://github.com/Yamato-Security/hayabusa/raw/v3.10.0/logo.png" width="60%">

Windows event log fast forensics timeline generator and threat hunting tool.

Written in memory-safe Rust by Yamato Security — the only open-source tool with full Sigma support, including v2 correlation rules.

<a href="https://github.com/Yamato-Security/hayabusa/releases"><img src="https://img.shields.io/github/v/release/Yamato-Security/hayabusa?color=blue&label=Stable%20Version&style=flat"/></a>
<a href="https://github.com/Yamato-Security/hayabusa/releases"><img src="https://img.shields.io/github/downloads/Yamato-Security/hayabusa/total?style=flat&label=GitHub%F0%9F%A6%85Downloads&color=blue"/></a>
<a href="https://github.com/Yamato-Security/hayabusa/stargazers"><img src="https://img.shields.io/github/stars/Yamato-Security/hayabusa?style=flat&label=GitHub%F0%9F%A6%85Stars"/></a>
<a href="https://github.com/Yamato-Security/hayabusa/graphs/contributors"><img src="https://img.shields.io/github/contributors/Yamato-Security/hayabusa?label=Contributors&color=blue&style=flat"/></a>
<a href="https://github.com/Yamato-Security/hayabusa/blob/main/LICENSE.txt"><img src="https://img.shields.io/badge/License-AGPLv3-blue.svg?style=flat"/></a>
<a href="https://www.blackhat.com/asia-22/arsenal/schedule/#hayabusa-26211"><img src="https://img.shields.io/badge/Black%20Hat%20Arsenal%20Asia-2022-blue"></a>
<a href="https://codeblue.jp/2022/en/talks/?content=talks_24"><img src="https://img.shields.io/badge/CODE%20BLUE%20Bluebox-2022-blue"></a>
<a href="https://www.seccon.jp/2022/seccon_workshop/windows.html"><img src="https://img.shields.io/badge/SECCON-2023-blue"></a>
<a href="https://www.security-camp.or.jp/minicamp/tokyo2023.html"><img src="https://img.shields.io/badge/Security%20MiniCamp%20Tokyo-2023-blue"></a>
<a href="https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/"><img src="https://img.shields.io/badge/SANS%20DFIR%20Summit-2023-blue"></a>
<a href="https://bsides.tokyo/2024/"><img src="https://img.shields.io/badge/BSides%20Tokyo-2024-blue"></a>
<a href="https://www.hacker.or.jp/hack-fes-2024/"><img src="https://img.shields.io/badge/Hack%20Fes.-2024-blue"></a>
<a href="https://hitcon.org/2024/CMT/"><img src="https://img.shields.io/badge/HITCON-2024-blue"></a>
<a href="https://www.blackhat.com/sector/2024/briefings/schedule/index.html#performing-dfir-and-threat-hunting-with-yamato-security-oss-tools-and-community-driven-knowledge-41347"><img src="https://img.shields.io/badge/SecTor-2024-blue"></a>
<a href="https://www.infosec-city.com/schedule/sin25-con"><img src="https://img.shields.io/badge/SINCON%20Kampung%20Workshop-2025-blue"></a>
<a href="https://www.blackhat.com/us-25/arsenal/schedule/index.html#windows-fast-forensics-with-yamato-securitys-hayabusa-45629"><img src="https://img.shields.io/badge/Black%20Hat%20Arsenal%20USA-2025-blue"></a>
<a href="https://codeblue.jp/en/program/time-table/day2-t3-02/"><img src="https://img.shields.io/badge/CODE%20BLUE%20-2025-blue"></a>
<a href="https://blackhat.com/us-26/arsenal/schedule/index.html#mecha-hayabusa-by-yamato-security-52897"><img src="https://img.shields.io/badge/Black%20Hat%20Arsenal%20USA-2026-blue"></a>
<a href="https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d"><img src="https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen.svg" /></a>
<a href="https://github.com/Yamato-Security/hayabusa/commits/main/"><img src="https://img.shields.io/github/commit-activity/t/Yamato-Security/hayabusa/main" /></a>
<a href="https://rust-reportcard.xuri.me/report/github.com/Yamato-Security/hayabusa"><img src="https://rust-reportcard.xuri.me/badge/github.com/Yamato-Security/hayabusa" /></a>
<a href="https://codecov.io/gh/Yamato-Security/hayabusa" ><img src="https://codecov.io/gh/Yamato-Security/hayabusa/branch/main/graph/badge.svg?token=WFN5XO9W8C"/></a>
<a href="https://twitter.com/SecurityYamato"><img src="https://img.shields.io/twitter/follow/SecurityYamato?style=social"/></a>

📖 Read the Documentation →

Available in 15 languages — English · 日本語 · 繁體中文 · 한국어 · Deutsch · Türkçe · Français · Español · Português (Brasil) · Українська · हिन्दी · Bahasa Indonesia · မြန်မာဘာသာ · ไทย · العربية


🦅 About

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool. It is multi-threaded for speed and consolidates events from a single host or thousands of systems into one CSV / JSON / JSONL timeline — ready for analysis in LibreOffice, Timeline Explorer, Elastic Stack, Timesketch and more. It can run live on a single system, gather logs for offline analysis, or hunt across the enterprise with Velociraptor.

📖 Documentation

All documentation now lives on a dedicated, searchable, multi-language site:

👉 yamato-security.github.io/hayabusa

Section
🚀 Getting Started Download, install and run Hayabusa
⌨️ Command Reference Every command and option, with examples
📊 Timeline Output Output profiles, fields and abbreviations
🧩 Rules Detection rules and Sigma compatibility
🔎 Importing & Analysis Elastic Stack, Timesketch, Timeline Explorer, jq

⬇️ Download

Grab the latest signed binaries from the Releases page, or see Getting Started for live-response packages and building from source.

🗂️ Looking for the old README?

The previous single-page README is preserved unchanged:

🤝 Contributing & License

Contributions and bug reports are very welcome — see Contributing & Support. Hayabusa is released under the GNU AGPLv3 license; detection rules are released under the Detection Rule License (DRL) 1.1.


Made with 🦅 by Yamato Security  ·  @SecurityYamato

Extension points exported contracts — how you extend this code

SelectionNode (Interface)
Trait implemented by every node under the detection-selection section of a rule file. [6 implementers]
src/detections/rule/selectionnodes.rs
LeafMatcher (Interface)
Represents the logic for comparing event log values at leaf nodes. A class implementing this trait exists for each kind [4 …
src/detections/rule/matchers.rs
CountStrategy (Interface)
* Trait to absorb differences in how count() counts * (distinct field values vs. plain record count). */ [2 implementers]
src/detections/rule/count.rs

Core symbols most depended-on inside this repo

check_select
called by 163
src/detections/rule/matchers.rs
write_color_buffer
called by 143
src/detections/utils.rs
len
called by 104
src/timeline/extract_base64.rs
get_writable_color
called by 82
src/detections/utils.rs
check_setting_path
called by 64
src/detections/utils.rs
to_str
called by 60
src/timeline/config_critical_systems.rs
check_select
called by 40
src/detections/rule/condition_parser.rs
check_count
called by 34
src/detections/rule/count.rs

Shape

Function 720
Method 203
Class 84
Enum 14
Interface 3

Languages

Rust99%
Python1%

Modules by API surface

src/detections/rule/matchers.rs174 symbols
src/detections/rule/condition_parser.rs70 symbols
src/detections/configs.rs65 symbols
src/detections/rule/count.rs54 symbols
src/detections/utils.rs49 symbols
src/afterfact.rs49 symbols
src/main.rs45 symbols
src/yaml.rs41 symbols
src/detections/rule/mod.rs38 symbols
src/detections/rule/selectionnodes.rs34 symbols
src/detections/detection.rs31 symbols
src/timeline/extract_base64.rs29 symbols

For agents

$ claude mcp add hayabusa \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page