-
Notifications
You must be signed in to change notification settings - Fork 203
Timeline Output
Hayabusa has 5 pre-defined output profiles to use in config/profiles.yaml:
minimal-
standard(default) verboseall-field-infoall-field-info-verbosesuper-verbosetimesketch-minimaltimesketch-verbose
You can easily customize or add your own profiles by editing this file.
You can also easily change the default profile with set-default-profile --profile <profile>.
Use the list-profiles command to show the available profiles and their field information.
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %RecordID%, %RuleTitle%, %Details%
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %RecordID%, %RuleTitle%, %Details%, %ExtraFieldInfo%
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %RuleTitle%, %Details%, %ExtraFieldInfo%, %RuleFile%, %EvtxFile%
Instead of outputting the minimal details information, all field information in the EventData and UserData sections will be outputted along with their original field names.
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %RecordID%, %RuleTitle%, %AllFieldInfo%, %RuleFile%, %EvtxFile%
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %RuleTitle%, %AllFieldInfo%, %RuleFile%, %EvtxFile%
%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %RuleTitle%, %RuleAuthor%, %RuleModifiedDate%, %Status%, %RecordID%, %Details%, %ExtraFieldInfo%, %MitreTactics%, %MitreTags%, %OtherTags%, %Provider%, %RuleCreationDate%, %RuleFile%, %EvtxFile%
Output to a format compatible with importing into Timesketch.
%Timestamp%, hayabusa, %RuleTitle%, %Computer%, %Channel%, %EventID%, %Level%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %RuleFile%, %EvtxFile%
%Timestamp%, hayabusa, %RuleTitle%, %Computer%, %Channel%, %EventID%, %Level%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %ExtraFieldInfo%, %RuleFile%, %EvtxFile%
The following benchmarks were conducted on a 2018 Lenovo P51 (Xeon 4 Core CPU / 64GB RAM) with 3GB of evtx data and 3891 rules enabled. (2023/06/01)
| Profile | Processing Time | Output Filesize | Filesize Increase |
|---|---|---|---|
| minimal | 8 minutes 50 seconds | 770 MB | -30% |
| standard (default) | 9 minutes 00 seconds | 1.1 GB | None |
| verbose | 9 minutes 10 seconds | 1.3 GB | +20% |
| all-field-info | 9 minutes 3 seconds | 1.2 GB | +10% |
| all-field-info-verbose | 9 minutes 10 seconds | 1.3 GB | +20% |
| super-verbose | 9 minutes 12 seconds | 1.5 GB | +35% |
The following information can be outputted with built-in output profiles:
| Alias name | Hayabusa output information |
|---|---|
| %AllFieldInfo% | All field information. |
| %Channel% | The name of log. <Event><System><Channel> field. |
| %Computer% | The <Event><System><Computer> field. |
| %Details% | The details field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the fields in event logs. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as n/a (not available). If the details field is not specified (i.e. sigma rules), default details messages to extract fields defined in ./rules/config/default_details.txt will be outputted. You can add more default details messages by adding the Provider Name, EventID and details message you want to output in default_details.txt. When no details field is defined in a rule nor in default_details.txt, all fields will be outputted to the details column. |
| %ExtraFieldInfo% | Print the field information that was not outputted in %Details%. |
| %EventID% | The <Event><System><EventID> field. |
| %EvtxFile% | The evtx filename that caused the alert or event. |
| %Level% | The level field in the YML detection rule. (informational, low, medium, high, critical) |
| %MitreTactics% | MITRE ATT&CK tactics (Ex: Initial Access, Lateral Movement, etc...). |
| %MitreTags% | MITRE ATT&CK Group ID, Technique ID and Software ID. |
| %OtherTags% | Any keyword in the tags field in a YML detection rule which is not included in MitreTactics or MitreTags. |
| %Provider% | The Name attribute in <Event><System><Provider> field. |
| %RecordID% | The Event Record ID from <Event><System><EventRecordID> field. |
| %RuleAuthor% | The author field in the YML detection rule. |
| %RuleCreationDate% | The date field in the YML detection rule. |
| %RuleFile% | The filename of the detection rule that generated the alert or event. |
| %RuleModifiedDate% | The modified field in the YML detection rule. |
| %RuleTitle% | The title field in the YML detection rule. |
| %Status% | The status field in the YML detection rule. |
| %Timestamp% | Default is YYYY-MM-DD HH:mm:ss.sss +hh:mm format. <Event><System><TimeCreated SystemTime> field in the event log. The default timezone will be the local timezone but you can change the timezone to UTC with the --UTC option. |
You can also add these extra aliases to your output profile if you need them:
| Alias name | Hayabusa output information |
|---|---|
| %RenderedMessage% | The <Event><RenderingInfo><Message> field in WEC forwarded logs. |
| %RuleID% | The id field in the YML detection rule. |
Note: these are not included in any built in profiles so you will need to manually edit the config/default_profile.yaml file and add the following lines:
Message: "%RenderedMessage%"
RuleID: "%RuleID%"
You can also define event key aliases to output other fields.
In order to save space, we use the following abbrevations when displaying the alert level.
-
crit:critical -
high:high -
med:medium -
low:low -
info:informational
In order to save space, we use the following abbreviations when displaying MITRE ATT&CK tactic tags.
You can freely edit these abbreviations in the ./config/mitre_tactics.txt configuration file.
-
Recon: Reconnaissance -
ResDev: Resource Development -
InitAccess: Initial Access -
Exec: Execution -
Persis: Persistence -
PrivEsc: Privilege Escalation -
Evas: Defense Evasion -
CredAccess: Credential Access -
Disc: Discovery -
LatMov: Lateral Movement -
Collect: Collection -
C2: Command and Control -
Exfil: Exfiltration -
Impact: Impact
In order to save space, we use the following abbreviations when displaying Channel.
You can freely edit these abbreviations in the ./rules/config/channel_abbreviations.txt configuration file.
-
App:Application -
AppLocker:Microsoft-Windows-AppLocker/* -
BitsCli:Microsoft-Windows-Bits-Client/Operational -
CodeInteg:Microsoft-Windows-CodeIntegrity/Operational -
Defender:Microsoft-Windows-Windows Defender/Operational -
DHCP-Svr:Microsoft-Windows-DHCP-Server/Operational -
DNS-Svr:DNS Server -
DvrFmwk:Microsoft-Windows-DriverFrameworks-UserMode/Operational -
Exchange:MSExchange Management -
Firewall:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall -
KeyMgtSvc:Key Management Service -
LDAP-Cli:Microsoft-Windows-LDAP-Client/Debug -
NTLMMicrosoft-Windows-NTLM/Operational -
OpenSSH:OpenSSH/Operational -
PrintAdm:Microsoft-Windows-PrintService/Admin -
PrintOp:Microsoft-Windows-PrintService/Operational -
PwSh:Microsoft-Windows-PowerShell/Operational -
PwShClassic:Windows PowerShell -
RDP-Client:Microsoft-Windows-TerminalServices-RDPClient/Operational -
Sec:Security -
SecMitig:Microsoft-Windows-Security-Mitigations/* -
SmbCliSec:Microsoft-Windows-SmbClient/Security -
SvcBusCli:Microsoft-ServiceBus-Client -
Sys:System -
Sysmon:Microsoft-Windows-Sysmon/Operational -
TaskSch:Microsoft-Windows-TaskScheduler/Operational -
WinRM:Microsoft-Windows-WinRM/Operational -
WMI:Microsoft-Windows-WMI-Activity/Operational
The following abbreviations are used in rules in order to make the output as concise as possible:
-
Acct-> Account -
Addr-> Address -
Auth-> Authentication -
Cli-> Client -
Chan-> Channel -
Cmd-> Command -
Cnt-> Count -
Comp-> Computer -
Conn-> Connection/Connected -
Creds-> Credentials -
Crit-> Critical -
Disconn-> Disconnection/Disconnected -
Dir-> Directory -
Drv-> Driver -
Dst-> Destination -
EID-> Event ID -
Err-> Error -
Exec-> Execution -
FW-> Firewall -
Grp-> Group -
Img-> Image -
Inj-> Injection -
Krb-> Kerberos -
LID-> Logon ID -
Med-> Medium -
Net-> Network -
Obj-> Object -
Op-> Operational/Operation -
Proto-> Protocol -
PW-> Password -
Reconn-> Reconnection -
Req-> Request -
Rsp-> Response -
Sess-> Session -
Sig-> Signature -
Susp-> Suspicious -
Src-> Source -
Svc-> Service -
Svr-> Server -
Temp-> Temporary -
Term-> Termination/Terminated -
Tkt-> Ticket -
Tgt-> Target -
Unkwn-> Unknown -
Usr-> User -
Perm-> Permament -
Pkg-> Package -
Priv-> Privilege -
Proc-> Process -
PID-> Process ID -
PGUID-> Process GUID (Global Unique ID) -
Ver-> Version
The progress bar will only work with multiple evtx files. It will display in real time the number and percent of evtx files that it has finished analyzing.
The alerts will be outputted in color based on the alert level.
You can change the default colors in the config file at ./config/level_color.txt in the format of level,(RGB 6-digit ColorHex).
If you want to disable color output, you can use --no-color option.
Total events, the number of events with hits, data reduction metrics, total and unique detections, dates with the most detections, top computers with detections and top alerts are displayed after every scan.
If you add the -T, --visualize-timeline option, the Event Frequency Timeline feature displays a sparkline frequency timeline of detected events.
Note: There needs to be more than 5 events. Also, the characters will not render correctly on the default Command Prompt or PowerShell Prompt, so please use a terminal like Windows Terminal, iTerm2, etc...