Hayabusa, the log analysis tool developed by the Yamato Security group, promises an unparalleled depth of investigation into Windows event logs. This blog explores key commands vital for harnessing Hayabusa’s potential in conducting thorough log analyses.
Hayabusa Command Arsenal for Deep Analysis:
1. CSV Timeline Generation:
Command: hayabusa.exe csv-timeline -d {Log Path}
Use -d for directory path(where multiple logs stored) Use -f for single event log file.
2. Predefined Rules Usage:
Command: hayabusa.exe csv-timeline -d {Log Path} -r rules/hayabusa/
Utilize predefined rules located in the "hayabusa" folder. Use -r for rules
3. Utilizing Sigma Rules:
Command: hayabusa.exe csv-timeline -d {Log Path} -r rules/sigma/
Apply Sigma rules located in the "sigma" folder for analysis. Use -r for rules
4. UTC Timezone Adjustment:
Command: hayabusa.exe csv-timeline -d -U {Log Path}
Utilize -U for time zone adjustment to UTC.
5. Live Analysis with Administrator Privileges:
Command: hayabusa.exe csv-timeline -l -m low
Perform live analysis with minimum rule levels using -l and -m.
6. Verbose Information Printing:
Command: hayabusa.exe csv-timeline -d -v {Log Path}
Print detailed information including processing time and parsing errors with -v.
7. Logon Summary and Metrics:
Command: hayabusa.exe logon-summary -d {Log Path}
Generate logon information summaries. Utilize
Command: hayabusa.exe metrics -d {Log Path}
for Event ID metrics.
8. Pivot Keywords Listing:
Command: hayabusa.exe pivot-keywords-list -d {Log Path} -m critical
Create a list of unique pivot keywords, aiding in identifying abnormalities or correlation between events. (you can use high, low, medium depends on need)
9. HTML Report Generation:
Command: hayabusa.exe csv-timeline -d {Log Path} -H hayabusa_report
Create HTML reports for in-depth analysis using -H.
10. Export to CSV for Further Analysis:
Command: hayabusa.exe csv-timeline -d {Log path} -o results.csv -p super-verbose
Export log data to a single CSV file for additional analysis -p super-verbose can be ignored.
11. Search Command Usage:
Command: hayabusa.exe search -d {Log path} -i -k "mimikatz"
Conduct keyword searches within logs. Use -i for case-insensitive search and -k for keywords.
Note :- you can use search for IP or to search event for particular workstation.
12. Rule Updates:
Command: hayabusa.exe update-rules
Stay updated with the latest rules by executing the update-rules command.
These commands equip users to delve deeply into log analyses, enabling sophisticated investigations and comprehensive threat detection within Windows event logs using Hayabusa.
Akash Patel
コメント