Windows event log fast forensics timeline generator and threat hunting tool.
Written in memory-safe Rust by
Yamato Security — the only open-source tool
with full Sigma support, including v2 correlation rules.
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool. It is multi-threaded for speed and consolidates events from a single host or thousands of systems into one CSV / JSON / JSONL timeline — ready for analysis in LibreOffice, Timeline Explorer, Elastic Stack, Timesketch and more. It can run live on a single system, gather logs for offline analysis, or hunt across the enterprise with Velociraptor.
All documentation now lives on a dedicated, searchable, multi-language site:
| Section | |
|---|---|
| 🚀 Getting Started | Download, install and run Hayabusa |
| ⌨️ Command Reference | Every command and option, with examples |
| 📊 Timeline Output | Output profiles, fields and abbreviations |
| 🧩 Rules | Detection rules and Sigma compatibility |
| 🔎 Importing & Analysis | Elastic Stack, Timesketch, Timeline Explorer, jq |
Grab the latest signed binaries from the Releases page, or see Getting Started for live-response packages and building from source.
The previous single-page README is preserved unchanged:
- 📄 OLD-README.md — English
- 📄 OLD-README-Japanese.md — 日本語
Contributions and bug reports are very welcome — see Contributing & Support. Hayabusa is released under the GNU AGPLv3 license; detection rules are released under the Detection Rule License (DRL) 1.1.