<div align="center"> <p> <img alt="Hayabusa Logo" src="logo.png" width="60%"> </p> [ <b>English</b> ] | [<a href="README-Japanese.md">日本語</a>] </div>

---

<p align="center"> <a href="https://github.com/Yamato-Security/hayabusa/releases"><img src="https://img.shields.io/github/v/release/Yamato-Security/hayabusa?color=blue&label=Stable%20Version&style=flat"/></a> <a href="https://github.com/Yamato-Security/hayabusa/releases"><img src="https://img.shields.io/github/downloads/Yamato-Security/hayabusa/total?style=flat&label=GitHub%F0%9F%A6%85Downloads&color=blue"/></a> <a href="https://github.com/Yamato-Security/hayabusa/stargazers"><img src="https://img.shields.io/github/stars/Yamato-Security/hayabusa?style=flat&label=GitHub%F0%9F%A6%85Stars"/></a> <a href="https://github.com/Yamato-Security/hayabusa/graphs/contributors"><img src="https://img.shields.io/github/contributors/Yamato-Security/hayabusa?label=Contributors&color=blue&style=flat"/></a> <a href="https://www.blackhat.com/asia-22/arsenal/schedule/#hayabusa-26211"><img src="https://raw.githubusercontent.com/toolswatch/badges/master/arsenal/asia/2022.svg"></a> <a href="https://codeblue.jp/2022/en/talks/?content=talks_24"><img src="https://img.shields.io/badge/CODE%20BLUE%20Bluebox-2022-blue"></a> <a href="https://www.seccon.jp/2022/seccon_workshop/windows.html"><img src="https://img.shields.io/badge/SECCON-2023-blue"></a> <a href="https://www.security-camp.or.jp/minicamp/tokyo2023.html"><img src="https://img.shields.io/badge/Security%20MiniCamp%20Tokyo-2023-blue"></a> <a href="https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/"><img src="https://img.shields.io/badge/SANS%20DFIR%20Summit-2023-blue"></a> <a href="https://bsides.tokyo/2024/"><img src="https://img.shields.io/badge/BSides%20Tokyo-2024-blue"></a> <a href="https://www.hacker.or.jp/hack-fes-2024/"><img src="https://img.shields.io/badge/Hack%20Fes.-2024-blue"></a> <a href="https://hitcon.org/2024/CMT/"><img src="https://img.shields.io/badge/HITCON-2024-blue"></a> <a href="https://www.blackhat.com/sector/2024/briefings/schedule/index.html#performing-dfir-and-threat-hunting-with-yamato-security-oss-tools-and-community-driven-knowledge-41347"><img src="https://img.shields.io/badge/SecTor-2024-blue"></a> <a href="https://www.infosec-city.com/schedule/sin25-con"><img src="https://img.shields.io/badge/SINCON%20Kampung%20Workshop-2025-blue"></a> <a href="https://www.blackhat.com/us-25/arsenal/schedule/index.html#windows-fast-forensics-with-yamato-securitys-hayabusa-45629"><img src="https://img.shields.io/badge/Black%20Hat%20Arsenal%20USA-2025-blue"></a> <a href="https://codeblue.jp/en/program/time-table/day2-t3-02/"><img src="https://img.shields.io/badge/CODE%20BLUE%20-2025-blue"></a> <a href="https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d"><img src="https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen.svg" /></a> <a href="https://github.com/Yamato-Security/hayabusa/commits/main/"><img src="https://img.shields.io/github/commit-activity/t/Yamato-Security/hayabusa/main" /></a> <a href="https://rust-reportcard.xuri.me/report/github.com/Yamato-Security/hayabusa"><img src="https://rust-reportcard.xuri.me/badge/github.com/Yamato-Security/hayabusa" /></a> <a href="https://codecov.io/gh/Yamato-Security/hayabusa" ><img src="https://codecov.io/gh/Yamato-Security/hayabusa/branch/main/graph/badge.svg?token=WFN5XO9W8C"/></a> <a href="https://twitter.com/SecurityYamato"><img src="https://img.shields.io/twitter/follow/SecurityYamato?style=social"/></a> </p>

About Hayabusa

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in memory-safe Rust, supports multi-threading in order to be as fast as possible and is the only open-source tool that has full support for the Sigma specification including v2 correlation rules. Hayabusa can handle parsing upstream Sigma rules, however, the Sigma rules that we use and host in the hayabusa-rules repository have some conversion done to them in order to make rule loading more flexible and reduce false positives. You can read the details about this at the sigma-to-hayabusa-converter repository README file. Hayabusa can be run either on single running systems for live analysis, by gathering logs from single or multiple systems for offline analysis, or by running the Hayabusa artifact with Velociraptor for enterprise-wide threat hunting and incident response. The output will be consolidated into a single CSV/JSON/JSONL timeline for easy analysis in LibreOffice, Timeline Explorer Elastic Stack, Timesketch, etc...

Companion Projects

• EnableWindowsLogSettings - Documentation and scripts to properly enable Windows event logs.
• Hayabusa Encoded Rules - The same as Hayabusa Rules repository but the rules and config files are stored in one file and XORed to prevent false positives from anti-virus.
• Hayabusa Rules - Hayabusa and curated Sigma detection rules used Hayabusa.
• Hayabusa EVTX - A more maintained fork of the evtx crate.
• Hayabusa Sample EVTXs - Sample evtx files to use for testing hayabusa/sigma detection rules.
• Presentations - Presentations from talks that we have given about our tools and resources.
• Sigma to Hayabusa Converter - Curates upstream Windows event log based Sigma rules into an easier to use form.
• Takajo - An analyzer for hayabusa results.
• WELA (Windows Event Log Analyzer) - An analyzer for Windows event logs written in PowerShell. (Deprecated and replaced by Takajo.)

Third-Party Projects That Use Hayabusa

• AllthingsTimesketch - A NodeRED workflow that imports Plaso and Hayabusa results into Timesketch.
• LimaCharlie - Provides cloud-based security tools and infrastructure to fit your needs.
• OpenRelik - An open-source (Apache-2.0) platform designed to streamline collaborative digital forensic investigations.
• Splunk4DFIR - Quickly spin up a splunk instance with Docker to browse through logs and tools output during your investigations.
• Velociraptor - A tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.

Table of Contents

• About Hayabusa
• Companion Projects
• Third-Party Projects That Use Hayabusa
  • Table of Contents
  • Main Goals
    • Threat Hunting and Enterprise-wide DFIR
    • Fast Forensics Timeline Generation
• Screenshots
  • Startup
  • DFIR Timeline Terminal Output
  • Keyword Search Results
  • Detection Fequency Timeline (-T option)
  • Results Summary
  • HTML Results Summary (-H option)
  • DFIR Timeline Analysis in LibreOffice (-M Multiline Output)
  • DFIR Timeline Analysis in Timeline Explorer
  • Critical Alert Filtering and Computer Grouping in Timeline Explorer
  • Analysis in Timesketch
• Importing and Analyzing Timeline Results
• Analyzing JSON-formatted results with JQ
• Features
• Downloads
  • Windows live response packages
• Git Cloning
• Advanced: Compiling From Source (Optional)
  • Updating Rust Packages
  • Cross-compiling 32-bit Windows Binaries
  • macOS Compiling Notes
  • Linux Compiling Notes
  • Cross-compiling Linux MUSL Binaries
• Running Hayabusa
  • Caution: Anti-Virus/EDR Warnings and Slow Runtimes
  • Windows
    • [Error when trying to scan a file or directory with a space in the path](#error-wh