mcp-hayabusa
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-hayabusaScan security.evtx for high-severity events"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-hayabusa
An MCP server that wraps Hayabusa, the Rust-based Windows event log (EVTX) fast forensics and threat-hunting tool, so an LLM client like Claude Code can scan EVTX files and browse detection rules directly in conversation.
Point Claude at a .evtx file and ask it to find suspicious logons, lateral movement, or persistence activity — it drives Hayabusa under the hood and gets back structured JSON it can reason about.
Tools
scan_evtx
Runs Hayabusa's json-timeline command against a single EVTX file and returns matched events as JSON.
Argument | Description |
| Path to the |
| Minimum severity to include: |
| Only include events whose rule title contains this substring (case-insensitive), e.g. |
|
|
| Caps the number of events returned. |
get_hayabusa_rules
Lists available Hayabusa/Sigma detection rules, optionally filtered by keyword — useful for discovering what detections exist, or for finding the right rule_filter value before calling scan_evtx.
Argument | Description |
| Only include rules whose title, description, or tags contain this substring (case-insensitive). |
| Caps the number of rules returned (default |
Related MCP server: Binary MCP Server
Setup
1. Create a virtual environment and install dependencies
py -m venv .venv
.venv\Scripts\activate
pip install -r requirements.txt2. Download the Hayabusa binary and detection rules
py scripts/download_hayabusa.pyThis fetches the latest Hayabusa release for your platform from GitHub and extracts it into ./hayabusa/. The server expects the binary at hayabusa/hayabusa.exe on Windows (or hayabusa/hayabusa on Linux/macOS) — rename the downloaded, versioned binary (e.g. hayabusa-3.10.0-win-x64.exe) to that name if needed.
Detection rules are expected at hayabusa/rules/ (Hayabusa's own hayabusa and sigma rule sets). Clone them from the official rules repo into that path, e.g.:
git clone https://github.com/Yamato-Security/hayabusa-rules.git hayabusa/rules3. Verify
py server.pyThe server communicates over stdio, so it won't print anything on success — it's ready for an MCP client to connect.
Connecting to Claude Code
This repo includes an .mcp.json with the server already configured:
{
"mcpServers": {
"hayabusa": {
"command": "py",
"args": ["server.py"]
}
}
}With this file present at the project root, Claude Code picks it up automatically when you open the project — no extra registration step needed. To add it manually to another project instead, run:
claude mcp add hayabusa -- py "C:\path\to\mcp-hayabusa\server.py"Once connected, ask Claude something like "Scan this EVTX file for high-severity events" or "What Hayabusa rules cover lateral movement?" and it will call scan_evtx / get_hayabusa_rules directly.
Requirements
Python 3.10+
Windows, Linux, or macOS (Hayabusa ships native binaries for all three)
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/meg4tech/mcp-hayabusa'
If you have feedback or need assistance with the MCP directory API, please join our Discord server