[bug]

[AhmetPayaslioglu]

Describe the bug
Hi, When I run Hayabusa on event logs collected from my own machine, I get a CSV output with a size of 0. Additionally, when I check the HTML report, I confirm that the number of detections is 0. However, this seems impossible because when I run it on other servers and clients in the same environment, I get thousands of detections. Something is going wrong when I run it for my client, and it produces a 0 output. I couldn't understand the issue. I don't receive any errors when running Hayabusa. How can I identify the problem?

Step to Reproduce
I run hayabusa on powershell like this:
.\hayabusa-2.19.0-win-x64.exe csv-timeline -d C:\Users\test\Desktop\hayabusatest\testeventlogs -r C:\Users\test\Desktop\hayabusatest\rules\sigma\sysmon -o output1.csv -H output1.html -w

Expected behavior
My expectation is to see hundreds of detections, just like the other devices in the same environment. This is because all machines receive the same policies, which means I should be seeing similar false positives (FPs).

Screenshots

Environment (please complete the following information):

• OS: Microsoft Windows 11 Enterprise 10.0.22631 N/A Build 22631]
• hayabusa version hayabusa-2.19.0-win-x64

Thanks for this amazing tool!

[fukusuket]

@AhmetPayaslioglu
Thank you for reporting issue!
It could be due to the rules or evtx..?🤔 Does the same thing happen if I run it with the latest package?

• https://github.com/Yamato-Security/hayabusa/releases/tag/v3.1.0

Also, Do commands other than csv-timeline work correctly?

[YamatoSecurity]

@AhmetPayaslioglu It looks like you are trying to only run Sysmon rules. Are you sure you have sysmon logs? What happens if you run all the rules by not specifying the -r opiton?

[AhmetPayaslioglu]

Hi,

Thank you both for your responses.

@fukusuket

I followed your instructions step by step. As you suggested, I downloaded and tested the latest version: https://github.com/Yamato-Security/hayabusa/releases/tag/v3.1.0. However, I encountered the same issue with the csv-timeline command and got 0 detection results.

Additionally, you asked me to run other commands besides csv-timeline. As an example, I executed the computer-metrics command:

by Yamato Security

Forged for the modern-day digital detective~

Start time: 2025/03/04 09:19
Total event log files: 385
Total file size: 2.3 GB

Currently scanning for computer metrics. Please wait.

An error occurred while trying to deserialize evtx stream.
An error occurred while trying to deserialize evtx stream.
[00:00:21] 385 / 385 [========================================] 100%

Scanning finished.

╭──────────────────────────────┬───────────╮
│ Computer ┆ Events │
╞══════════════════════════════╪═══════════╡
│ test.jack ┆ 1,882,540 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌┤
│ DESKTOP-123456 ┆ 41,280 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌┤
│ WIN-2I1234 ┆ 1,434 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌┤
│ WIN-523242 ┆ 138 │
╰──────────────────────────────┴───────────╯
Total computers: 4
Elapsed time: 00:00:21.672

頑張ってや〜 - Gambatte Ya~ - Do your best!

@YamatoSecurity

Yes, I have Sysmon, but I still performed the test as you requested: .\hayabusa-3.1.0-win-x64.exe csv-timeline -d C:\Users\test\Desktop\hayabusatest2\testeventlogs -o output4.csv -H output4.html -w

However, the result did not change. I still got 0 detections.