Skip to main content
Glama
meg4tech

mcp-hayabusa

by meg4tech

mcp-hayabusa

An MCP server that wraps Hayabusa, the Rust-based Windows event log (EVTX) fast forensics and threat-hunting tool, so an LLM client like Claude Code can scan EVTX files and browse detection rules directly in conversation.

Point Claude at a .evtx file and ask it to find suspicious logons, lateral movement, or persistence activity — it drives Hayabusa under the hood and gets back structured JSON it can reason about.

Tools

scan_evtx

Runs Hayabusa's json-timeline command against a single EVTX file and returns matched events as JSON.

Argument

Description

path

Path to the .evtx file to scan.

min_severity

Minimum severity to include: informational, low, medium, high, critical. Defaults to informational (no filtering).

rule_filter

Only include events whose rule title contains this substring (case-insensitive), e.g. "lateral" or "mimikatz".

output_format

summary (default) returns condensed fields (timestamp, rule title, level, computer, channel, event ID, record ID); full returns the complete Hayabusa record.

max_results

Caps the number of events returned. event_count in the response always reflects the total before truncation.

get_hayabusa_rules

Lists available Hayabusa/Sigma detection rules, optionally filtered by keyword — useful for discovering what detections exist, or for finding the right rule_filter value before calling scan_evtx.

Argument

Description

keyword

Only include rules whose title, description, or tags contain this substring (case-insensitive).

max_results

Caps the number of rules returned (default 100; the full set has several thousand entries). rule_count always reflects the total before this cap.

Related MCP server: Binary MCP Server

Setup

1. Create a virtual environment and install dependencies

py -m venv .venv
.venv\Scripts\activate
pip install -r requirements.txt

2. Download the Hayabusa binary and detection rules

py scripts/download_hayabusa.py

This fetches the latest Hayabusa release for your platform from GitHub and extracts it into ./hayabusa/. The server expects the binary at hayabusa/hayabusa.exe on Windows (or hayabusa/hayabusa on Linux/macOS) — rename the downloaded, versioned binary (e.g. hayabusa-3.10.0-win-x64.exe) to that name if needed.

Detection rules are expected at hayabusa/rules/ (Hayabusa's own hayabusa and sigma rule sets). Clone them from the official rules repo into that path, e.g.:

git clone https://github.com/Yamato-Security/hayabusa-rules.git hayabusa/rules

3. Verify

py server.py

The server communicates over stdio, so it won't print anything on success — it's ready for an MCP client to connect.

Connecting to Claude Code

This repo includes an .mcp.json with the server already configured:

{
  "mcpServers": {
    "hayabusa": {
      "command": "py",
      "args": ["server.py"]
    }
  }
}

With this file present at the project root, Claude Code picks it up automatically when you open the project — no extra registration step needed. To add it manually to another project instead, run:

claude mcp add hayabusa -- py "C:\path\to\mcp-hayabusa\server.py"

Once connected, ask Claude something like "Scan this EVTX file for high-severity events" or "What Hayabusa rules cover lateral movement?" and it will call scan_evtx / get_hayabusa_rules directly.

Requirements

  • Python 3.10+

  • Windows, Linux, or macOS (Hayabusa ships native binaries for all three)

F
license - not found
-
quality - not tested
C
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/meg4tech/mcp-hayabusa'

If you have feedback or need assistance with the MCP directory API, please join our Discord server