Pivot Keyword Generator

You can use the -p or --pivot-keywords-list option to create a list of unique pivot keywords to quickly identify abnormal users, hostnames, processes, etc... as well as correlate events. You can customize what keywords you want to search for by editing config/pivot_keywords.txt. This is the default setting:

Users.SubjectUserName
Users.TargetUserName
Users.User
Logon IDs.SubjectLogonId
Logon IDs.TargetLogonId
Workstation Names.WorkstationName
Ip Addresses.IpAddress
Processes.Image

The format is KeywordName.FieldName. For example, when creating the list of Users, hayabusa will list up all the values in the SubjectUserName, TargetUserName and User fields. By default, hayabusa will return results from all events (informational and higher) so we highly recommend combining the --pivot-keyword-list option with the -m or --min-level option. For example, start off with only creating keywords from critical alerts with -m critical and then continue with -m high, -m medium, etc... There will most likely be common keywords in your results that will match on many normal events, so after manually checking the results and creating a list of unique keywords in a single file, you can then create a narrowed down timeline of suspicious activity with a command like grep -f keywords.txt timeline.csv.