hayabusa-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@hayabusa-mcpscan the file security.evtx for suspicious events"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
hayabusa-mcp
An MCP (Model Context Protocol) server that wraps Hayabusa
for EVTX (Windows Event Log) analysis, exposing scan_evtx and get_hayabusa_rules
tools, plus read-only detection:// resources for browsing the bundled Sigma
rule set (see Resources below).
Note: this README covers licensing and the Claude Desktop extension build step. Full setup/usage documentation is still in progress — see
HANDOFF.mdfor detailed background in the meantime.
Setup
./download_hayabusa.sh— downloads and checksum-verifies the Hayabusa binary into./hayabusa/pip install -r requirements.txt(or use a.venv)Connect via
.mcp.json(Claude Code) or as a Claude Desktop extension (see below)
Related MCP server: EventWhisper
Resources
Alongside the two tools, the server exposes four read-only detection:// MCP
resources for browsing the bundled Sigma/Hayabusa rule set and looking up
MITRE ATT&CK technique coverage:
detection://rules— a compact JSON index of the bundled rules (resource_id,id_source,title,levelonly — not full rule bodies). Capped at 500 entries per read;truncated/total_rulesin the response indicate when more exist.detection://rules/{rule_identifier}— the complete YAML text of one rule.rule_identifieris the rule's own YAMLid:(a UUID); a small number of rules missing a valididget a stablefallback-<hash>identifier instead — checkid_sourcein the index to tell them apart.detection://rules/by-technique/{technique_id}— rules tagged with a given MITRE ATT&CK technique ID (case-insensitive). A bare parent ID likeT1003matches its own tag plus any sub-technique tagged beneath it (labeledinherited_subtechniquein the response); a specific sub-technique query likeT1003.001matches only that exact tag, never its parent or sibling sub-techniques.detection://attack/techniques/{technique_id}— local coverage facts for a technique ID (match count,covered/not_covered), computed solely from the bundled rule set. This server does not bundle an ATT&CK technique-name/tactic/description dataset, so no such fields are returned — the response only contains what can be derived from local rule data.
Claude Desktop extension
The extension's manifest.json points PYTHONPATH at a vendored ./lib/
directory rather than any external virtualenv. lib/ is not tracked in git
(it contains compiled, platform-specific wheels) — build it locally with:
./package_extension.shThis regenerates ./lib/ from requirements.txt and produces
dist/hayabusa-mcp.zip. You'll still need ./hayabusa/ populated separately
via download_hayabusa.sh before the extension can run.
License
This project is licensed under the MIT License.
Hayabusa itself is a separate project licensed under
AGPL-3.0.
It is downloaded at setup time by download_hayabusa.sh and invoked as an
external subprocess — it is not vendored or linked into this repository.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Pirate-Kitty/hayabusa-mcp-security-scanner'
If you have feedback or need assistance with the MCP directory API, please join our Discord server