Hayabusa

Hayabusa is a Windows event log analyzer, threat hunting tool, and forensic timeline generator. It functions as a detection engine that applies threat patterns to logs to identify suspicious behavior and security threats.

The project distinguishes itself through the ability to synchronize detection rules from remote repositories and tune risk levels to prioritize critical alerts. It also provides specialized forensic capabilities, such as extracting event log data into chronological records for incident response investigations.

The tool's broader capabilities include security log enrichment via geolocation, Base64 string decoding, and the calculation of event volume metrics. It further supports threat detection through logon activity summarization, critical system identification, and keyword-based pivot analysis to correlate related security events.

Features

Timeline Generators - Provides a specialized utility to extract event log data into chronological records for digital forensics and incident response.

Windows Event Log Analyzers - Searches and analyzes Windows event logs to find security threats or evidence of malicious activity.

Forensic Event Correlation - Parses event logs into a chronological sequence of activities to reconstruct a timeline of security events.

Rule-Based Detection Engines - Functions as a detection engine that applies threat patterns to logs and synchronizes rules from remote repositories.

Log Event Signatures - Matches event log entries against a curated library of patterns to identify suspicious behavior and security threats.

Incident Investigation Tools - Analyzes suspicious data and correlates event metrics to understand the scope of a security breach.

Threat Detection - Uses predefined rules to identify suspicious behavior and tunes alerts to minimize false positives.

Threat Hunting Workflows - Analyzes Windows event logs to proactively detect security threats and suspicious behavior using a rule-based library.

Digital Forensics - Creates chronological records of system events to reconstruct the sequence of an attack for digital forensics.

Remote Configuration Synchronization - Synchronizes local detection rules and risk thresholds by pulling the latest configurations from a remote repository.

Authentication Activity Summaries - Aggregates successful and failed logon attempts by username to identify potential authentication abuse.

Detection Sensitivity Tuning - Allows adjusting risk levels within configurations to reduce false positives and prioritize critical security alerts.

Remote Rule Synchronization - Updates local detection rules and configuration files from a remote repository to keep threat patterns current.

Critical Asset Identification - Detects domain controllers and file servers to increase alert priority for events originating from those hosts.

Log Event Enrichment - Adds geographical context and system roles to IP addresses and hostnames within event logs.

IP Geolocation Enrichment - Enriches network log entries by mapping IP addresses to physical locations using external geolocation databases.

Log Analysis Tools - Generates forensic timelines from Windows event logs.

Windows Artifact Analysis - Sigma-based threat hunting and timeline generation for event logs.

Forensics and Incident Response - Sigma-based threat hunting and Windows event log analysis.

Digital Forensics - Fast Windows event log analysis tool for threat hunting.

Yamato-Securityhayabusa

Features

Star history