AI analyzer and DFIR timeline and report generation tool for Hayabusa results.
Mecha Hayabusa connects the Windows event log analysis tool Hayabusa to large language models (LLMs) through the Model Context Protocol (MCP), enabling natural-language driven digital forensics and threat hunting. Analysts can investigate CSV-based Windows event log datasets using capabilities such as MITRE ATT&CK tactic analysis, IOC extraction, lateral movement correlation, PowerShell decoding, and host-centric timeline analysis.
Hayabusa CSV timelines are automatically converted into a local DuckDB database, allowing LLMs to perform fast, structured analysis over large log datasets. The system provides capabilities including dataset switching and profiling, read-only SQL execution, cross-field search, rule title aggregation, time-window summarization, host timeline analysis, Details field parsing, IOC extraction, Base64-encoded PowerShell decoding, and lateral movement correlation.
Mecha Hayabusa also includes a dedicated investigation skill that standardizes the DFIR workflow and supports structured incident report generation in Japanese or English.
The key innovation of Mecha Hayabusa is enabling an LLM to execute a structured DFIR investigation workflow through MCP, rather than acting as a simple search interface. This approach supports the full investigation lifecycle—from dataset triage and hypothesis development to attack-phase analysis, host-level investigation, lateral movement correlation, and final report generation—while improving consistency and efficiency for incident responders.
uv sync
uv run server.py --transport http --port 9999Endpoint:
http://127.0.0.1:9999/mcp
claude mcp add --transport http hayabusa http://127.0.0.1:9999/mcpConfirmation:
claude mcp listUse Mecha Hayabusa to read hayabusa-results.csv and build an intrusion timeline and report.
Results
An HTML report will be generated. See the "samples" folder for an example.
What happened in ACC-09?
Manage datasets used for analysis.
-
get_dataset_status
Retrieve the status of the currently loaded dataset. -
list_datasets
List available CSV datasets for analysis.
Supports pagination. -
switch_dataset
Switch the active analysis dataset to a specified CSV file. -
unload_dataset
Unload the currentlogstable. -
dataset_profile
Retrieve a summary of the dataset, including:- total event count
- time range
- top trends
Supports pagination.
Search and query log data.
-
run_sql
Execute a read-onlySELECTquery against thelogstable.
Includes built-in safety constraints. -
search_all_fields
Perform keyword searches across all columns or specified columns.
Supports pagination. -
get_event_detail
Retrieve a single event in expandedField / Valueformat.
Supports lookup byRecordIDor query conditions.
Analyze attack activity and event timelines.
-
analyze_mitre_tactics
Perform chronological analysis of attack phases grouped by MITRE ATT&CK tactics. -
analyze_host_timeline
Extract chronological events for a specific host.
Useful for compromise chain tracking. -
correlate_lateral_movement
Correlate lateral movement activity between hosts within a specified time window. -
summarize_events
Aggregate log events by a specified field. -
summarize_by_time_window
Count events by time window:1h3h6h12h1d
-
analyze_rule_titles
Aggregate the frequency ofRuleTitleoccurrences with optional filtering conditions.
Extract and analyze indicators from log details.
-
parse_details_field
Extract key/value pairs from theDetailsfield.
Supports listing and unique aggregation. -
extract_iocs
Extract Indicators of Compromise (IOCs) fromDetailsandExtraFieldInfo, categorized by type. -
decode_powershell_commands
Decode Base64-encoded PowerShell commands found in events.
- Akira Nishikawa (https://github.com/nishikawaakira)
- Pinksawtooth (https://github.com/pinksawtooth | https://x.com/PINKSAWTOOTH)
- Zach Mathis / Tanaka Zakku (https://github.com/Yamato-Security/ | https://x.com/yamatosecurity)