Hayabusa Rules

Hayabusa detection rules are written in a sigma-like YML format and are located in the rules folder. The rules are hosted at https://github.com/Yamato-Security/hayabusa-rules so please send any issues and pull requests for rules there instead of the main Hayabusa repository.

Please read the hayabusa-rules repository README to understand about the rule format and how to create rules.

All of the rules from the hayabusa-rules repository should be placed in the rules folder. informational level rules are considered events, while anything with a level of low and higher are considered alerts.

The hayabusa rule directory structure is separated into 2 directories:

• builtin: logs that can be generated by Windows built-in functionality.
• sysmon: logs that are generated by sysmon.

Rules are further seperated into directories by log type (Example: Security, System, etc...) and are named in the following format:

Please check out the current rules to use as a template in creating new ones or for checking the detection logic.