-
Notifications
You must be signed in to change notification settings - Fork 207
Hayabusa v.s. Converted Sigma Rules
Zach Mathis (田中ザック) edited this page Feb 3, 2024
·
2 revisions
Hayabusa supports Sigma rules natively with a single exception of handling the logsource fields internally.
In order to reduce false positives, , Sigma rules should be run through our convertor explained here.
This will add the proper Channel and EventID, and perform field mapping for certain categories like process_creation.
Almost all Hayabusa rules are compatible with the Sigma format so you can use them just like Sigma rules to convert to other SIEM formats. Hayabusa rules are designed solely for Windows event log analysis and have the following benefits:
- An extra
detailsfield to display additional information taken from only the useful fields in the log. - They are all tested against sample logs and are known to work.
- Extra aggregators not found in sigma, such as
|equalsfieldand|endswithfield.
To our knowledge, hayabusa provides the greatest native support for sigma rules out of any open source Windows event log analysis tool.