mcp-hayabusa
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-hayabusascan C:\Logs\Security.evtx and list critical events"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Hayabusa MCP Server
An MCP (Model Context Protocol) server that connects Claude to Hayabusa, a Windows event log (EVTX) forensics timeline generator and threat hunting tool. It lets an LLM agent run real Hayabusa scans against Windows event logs and reason about the results in plain conversation, instead of a human manually running CLI commands and reading raw CSV output.
Overview
Hayabusa is a fast, Rust-based command-line tool built by Yamato Security
that parses Windows Event Log (.evtx) files and matches them against thousands of
Sigma-based detection rules to flag suspicious activity — failed logons, lateral movement,
persistence mechanisms, credential access, and more.
This project wraps that CLI tool as an MCP server: a small Python process that exposes Hayabusa's subcommands as tools an MCP-compatible client (such as Claude Desktop or Claude Code) can call. Instead of memorizing Hayabusa's flags, a user can just ask Claude in natural language — "scan these event logs and tell me if anything looks suspicious" — and Claude invokes the appropriate tool, reads back a summarized result, and explains it.
Related MCP server: BloodHound MCP Server
The cybersecurity problem it solves
Windows event logs are one of the richest sources of forensic evidence during incident response and threat hunting, but they're also one of the least accessible:
A single
.evtxfile can contain tens of thousands of events in a dense, semi-structured format that isn't practical to read by hand.Detection rules (Sigma/Hayabusa rules) require domain knowledge to write and interpret — knowing that an alert fired is only half the job; understanding why it matters takes security expertise.
Junior analysts and students often have the tool access but not yet the pattern-recognition experience to triage results quickly; senior analysts have the experience but limited time to review every log by hand.
This project closes that gap by giving an LLM direct, structured access to Hayabusa's output.
Claude can run a scan, get back event counts grouped by severity (Level) instead of a raw
CSV dump, and use its own reasoning to help explain what a given alert means, which events look
most urgent, and what to investigate next — while the actual detection logic still comes from
Hayabusa's vetted rule engine, not from the LLM guessing.
How MCP connects Claude to Hayabusa
┌─────────────┐ MCP (stdio) ┌───────────────────┐ subprocess ┌───────────┐
│ Claude │ ◄──────────────────────► │ mcp-hayabusa │ ◄──────────────────► │ hayabusa │
│ (Desktop/CLI)│ JSON-RPC tool calls │ (this project) │ CLI invocation │ .exe │
└─────────────┘ └───────────────────┘ └───────────┘
│
▼
reads/writes .evtx, .csvClaude (the MCP client) launches
mcp-hayabusaas a local subprocess and talks to it over the MCP protocol (JSON-RPC over stdio).On startup, the server (built with the
mcpPython SDK'sFastMCP) advertises its available tools — e.g.hayabusa_csv_timeline,hayabusa_search— along with a description and parameter schema for each, generated from Python type hints and docstrings.When the user asks something that maps to one of those tools, Claude calls it with structured arguments (e.g.
{"directory": "C:\\logs", "extra_args": ["-m", "medium"]}).The server translates that call into a real
hayabusa <subcommand> ...invocation via Python'ssubprocess, waits for it to finish, and reads back the result.For scans that produce large output files (like
csv-timeline), the server doesn't return the raw file to Claude — it parses the CSV and returns a compact summary (total event count, counts grouped by alertLevel, and a small row sample), plus the full file path so a human (or Claude, via other tools) can inspect the complete results directly.Claude uses that summary to answer the user in natural language, and can chain further tool calls (e.g.
hayabusa_searchfor a specific keyword) based on what it sees.
MCP is what makes this generic: the same server works unmodified with any MCP-compatible client, and Claude doesn't need any Hayabusa-specific training — the tool descriptions are the documentation it reads at connection time.
Main features
Six MCP tools covering the most common Hayabusa workflows: building a detection timeline, searching logs, summarizing logons, and reporting event-ID/rule metrics.
Result summarization, not raw dumps —
hayabusa_csv_timelineparses its own CSV output and returns event counts by severity level plus a small sample, so a large scan doesn't blow past the model's context window.Subcommand allowlist — the wrapper only ever invokes a fixed set of known-safe Hayabusa subcommands (
ALLOWED_SUBCOMMANDSinhayabusa.py), rather than passing arbitrary attacker-or-model-controlled strings straight to a shell.No shell interpolation — all commands are built as argument lists and run with
subprocess.run(..., shell=False), which avoids shell/command-injection risk even though inputs (file paths, keywords) can come from model-generated text.Version-tolerant flag handling — only the input/output flags (
-d,-f,-o) are hardcoded, since Hayabusa's other flags have changed across releases; everything else (rules directory, minimum level, output profile) is passed through an explicitextra_argslist rather than guessed.Configurable, fail-fast binary lookup — the Hayabusa binary path is resolved once via
HAYABUSA_PATH(orPATH), lazily on first tool call, with a clear error if it can't be found.Unit-tested without needing the real binary — tests mock
subprocess.run, so the argument-building logic and CSV summarization can be verified in CI without installing Hayabusa or providing real.evtxfiles.
Project architecture
The server is a thin, layered wrapper — it does not reimplement any detection or log-parsing logic itself; all of that stays inside the Hayabusa binary.
Claude (MCP client)
│ MCP tool calls (JSON-RPC / stdio)
▼
server.py FastMCP app + @mcp.tool() functions.
Thin adapters: validate/shape arguments, call into hayabusa.py,
and summarize large results before returning them to the model.
│
▼
hayabusa.py subprocess wrapper. run_subcommand() is the single choke point every
call goes through — it enforces the ALLOWED_SUBCOMMANDS allowlist and
invokes the binary with an explicit argument list (no shell=True).
Convenience functions (csv_timeline, search, logon_summary, ...) build
argument lists on top of it. summarize_csv_timeline() reads scan output
back off disk and reduces it to counts + a sample.
│
▼
config.py Resolves the hayabusa binary path from HAYABUSA_PATH (env var) or PATH,
and reads HAYABUSA_TIMEOUT_SECONDS. Raises a clear error if the binary
can't be found; resolved lazily so the server can still start and list
its tools before Hayabusa is configured.
│
▼
hayabusa.exe The actual Hayabusa binary (external dependency, not bundled).
Reads .evtx files, applies Sigma-based detection rules, writes
CSV/JSON/stdout output.Technologies used
Python 3.10+ — implementation language
mcpPython SDK (FastMCP) — MCP server framework: tool registration, JSON-RPC/stdio transport, schema generation from type hintssubprocess(standard library) — safe, shell-free invocation of the Hayabusa CLIcsv(standard library) — parsing Hayabusa's CSV timeline output for summarizationHayabusa (Rust, external binary) — the actual event-log parsing and Sigma-rule detection engine this project wraps
pytest — unit tests, with
subprocess.runmocked outpyproject.toml/setuptools— packaging, editable installs, console-script entry point
Installation and setup (Windows)
Prerequisites
Python 3.10 or later
The
hayabusabinary, downloaded separately — this project does not bundle, download, or install it
Steps
# 1. Clone or download this repository, then from its root:
python -m venv .venv
.venv\Scripts\Activate.ps1
# 2. Install the project (editable install) plus dev/test dependencies
pip install -e ".[dev]"
# 3. Run the tests to confirm the install worked (no hayabusa binary required for this)
pytestConfiguring HAYABUSA_PATH
The server needs to know where the Hayabusa binary lives. Set the HAYABUSA_PATH environment
variable to its full path — if it isn't set, the server falls back to looking for hayabusa
(or hayabusa.exe) on your system PATH.
PowerShell (current session only):
$env:HAYABUSA_PATH = "C:\tools\hayabusa\hayabusa.exe"PowerShell (persist across sessions, current user):
[System.Environment]::SetEnvironmentVariable("HAYABUSA_PATH", "C:\tools\hayabusa\hayabusa.exe", "User")Or, if you'd rather not set an environment variable at all, just add the folder containing
hayabusa.exe to your PATH instead — the server will find it automatically.
If HAYABUSA_PATH is unset and nothing named hayabusa/hayabusa.exe is found on PATH, tool
calls will fail with a clear HayabusaNotFoundError explaining how to fix it.
Running the server
mcp-hayabusaor, without relying on the installed console script:
python -m mcp_hayabusa.serverFor interactive debugging (lets you call tools by hand and inspect responses) via the MCP Inspector:
mcp dev src/mcp_hayabusa/server.pyRegistering with Claude Desktop / Claude Code
Add an entry to your MCP client config (e.g. claude_desktop_config.json, or via
claude mcp add):
{
"mcpServers": {
"hayabusa": {
"command": "mcp-hayabusa",
"env": {
"HAYABUSA_PATH": "C:\\tools\\hayabusa\\hayabusa.exe"
}
}
}
}Example usage
Once the server is registered with Claude, a conversation might look like this:
You: I have some Windows Security event logs from a suspicious host at
C:\incident\host23. Can you build a detection timeline and tell me if anything stands out?Claude: (calls
hayabusa_csv_timelinewithdirectory="C:\\incident\\host23")I ran a scan across that directory — 4,812 events total. Severity breakdown: 3
critical, 12high, 47medium, the rest informational. The critical alerts are all related to potential credential dumping (LSASS access). Want me to pull the full detail on those three events, or search for related activity around the same timestamps?You: Search for "lsass" across the same logs.
Claude: (calls
hayabusa_searchwithdirectory="C:\\incident\\host23", keywords=["lsass"])Found 9 matching events...
Equivalent direct tool calls (what Claude actually sends under the hood):
{
"tool": "hayabusa_csv_timeline",
"arguments": {
"directory": "C:\\incident\\host23",
"extra_args": ["-m", "medium"]
}
}{
"tool": "hayabusa_search",
"arguments": {
"directory": "C:\\incident\\host23",
"keywords": ["lsass"]
}
}Available tools
Tool | Purpose |
| Scan |
| Keyword/regex search across |
| Summarize successful/failed logon events |
| Event counts/percentages by Event ID |
| List available output profiles |
| Sync Sigma-based detection rules to the latest version |
Every tool that takes log input accepts exactly one of directory (a folder of .evtx files)
or file (a single .evtx file), plus an extra_args passthrough list for flags this wrapper
doesn't hardcode (rules directory, minimum level, output profile, etc.) — run
hayabusa <subcommand> --help to see what your installed version supports, since flags have
changed across Hayabusa releases.
Project folder structure
mcp-hayabusa/
├── src/
│ └── mcp_hayabusa/
│ ├── __init__.py # package version
│ ├── config.py # resolves HAYABUSA_PATH / timeout from environment
│ ├── hayabusa.py # subprocess wrapper, subcommand allowlist, CSV summarizer
│ └── server.py # FastMCP app and @mcp.tool() definitions
├── tests/
│ └── test_hayabusa.py # unit tests (subprocess.run mocked out)
├── pyproject.toml # packaging, dependencies, console-script entry point
├── README.md
└── CLAUDE.md # guidance for AI coding agents working in this repoSkills demonstrated
Designing and building an MCP server from the official Python SDK (
FastMCP), including tool schemas, docstring-driven descriptions, and stdio transportSecure subprocess handling: shell-free command construction, an explicit subcommand allowlist, and timeout enforcement around an external security tool
Applying defensive security tooling (Hayabusa / Sigma-based detection) in an agentic/LLM-assisted workflow
API/response design for LLM consumption — summarizing large structured output (CSV timelines) into a compact, model-friendly shape instead of dumping raw data
Layered architecture with clear separation of concerns (config resolution → CLI invocation → tool interface)
Test-driven verification without the real dependency — unit tests that mock
subprocess.runso core logic is verified without needing the Hayabusa binary installedEnvironment-based configuration and packaging for a Windows development workflow (
pyproject.toml, editable installs, console-script entry points)
Current limitations
Windows-oriented, manual dependency install — Hayabusa itself is not bundled, vendored, or auto-downloaded; the user must install it separately and point
HAYABUSA_PATHat it.No automated integration tests against a real Hayabusa binary or real
.evtxfiles — current tests only cover argument-building and CSV-summarization logic with mocks.HAYABUSA_RULES_PATHis defined but not yet wired up — it's read into config but not currently passed to any Hayabusa invocation; a rules directory must be supplied per call viaextra_args(e.g.["-r", "C:\\hayabusa\\rules"]) instead.Flag coverage is intentionally partial — only
-d/-f/-oare hardcoded per subcommand; everything else relies on the caller supplying correct flags viaextra_args, since Hayabusa's CLI flags have changed across releases and this project hasn't been verified against every version.No output size/row cap on
search,logon-summary, oreid-metrics— unlikehayabusa_csv_timeline, these tools return raw stdout, which could be large on bigger log sets.No authentication or multi-user access control — this is a local, single-user MCP server intended to run on the same machine as the Claude client, not a shared network service.
No log/audit trail of tool invocations — useful for a personal workflow, but a production or team deployment would likely want to record what scans were run, by whom, and when.
Future improvements
Wire up
HAYABUSA_RULES_PATHso a configured rules directory is applied automatically instead of requiringextra_argson every callAdd
hayabusa_json_timeline,computer_metrics,log_metrics, andpivot_keywords_listtool wrappers (the underlyinghayabusa.pyfunctions/allowlist already support most of these)Cap and paginate output for
search,logon_summary, andeid_metricsthe same waycsv_timelineis already summarizedAdd integration tests that run against sample/synthetic
.evtxfiles and a real Hayabusa binary in CICross-platform support (Hayabusa itself runs on Linux/macOS too; this wrapper's binary resolution and packaging currently assume a Windows workflow)
Structured logging of tool calls (subcommand, arguments, duration, result) for auditability
Optional automatic rule updates on a schedule, rather than only on explicit
hayabusa_update_rulescalls
Disclaimer
This project is built for educational and defensive security purposes only. It is a personal/portfolio project demonstrating how to integrate an LLM agent with a legitimate, publicly available forensics tool (Hayabusa) via the Model Context Protocol.
It is intended for use on event logs you own or are explicitly authorized to analyze (e.g. your own systems, lab environments, or logs provided as part of an authorized incident response or training engagement).
It performs read-only analysis of event log data — it does not modify, exploit, or attack any system. Detection logic comes entirely from Hayabusa's own Sigma-based rule engine, not from this project or from the LLM.
It is not a replacement for professional incident response tooling, processes, or judgment. Always validate findings from any automated tool — including this one — against your own analysis before acting on them.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/cybergirl0810/mcp-hayabusa'
If you have feedback or need assistance with the MCP directory API, please join our Discord server