-
Notifications
You must be signed in to change notification settings - Fork 206
Pivot Keyword Generator
You can use the -p
or --pivot-keywords-list
option to create a list of unique pivot keywords to quickly identify abnormal users, hostnames, processes, etc... as well as correlate events. You can customize what keywords you want to search for by editing config/pivot_keywords.txt
.
This is the default setting:
Users.SubjectUserName
Users.TargetUserName
Users.User
Logon IDs.SubjectLogonId
Logon IDs.TargetLogonId
Workstation Names.WorkstationName
Ip Addresses.IpAddress
Processes.Image
The format is KeywordName.FieldName
. For example, when creating the list of Users
, hayabusa will list up all the values in the SubjectUserName
, TargetUserName
and User
fields. By default, hayabusa will return results from all events (informational and higher) so we highly recommend combining the --pivot-keyword-list
option with the -m
or --min-level
option. For example, start off with only creating keywords from critical
alerts with -m critical
and then continue with -m high
, -m medium
, etc... There will most likely be common keywords in your results that will match on many normal events, so after manually checking the results and creating a list of unique keywords in a single file, you can then create a narrowed down timeline of suspicious activity with a command like grep -f keywords.txt timeline.csv
.