Skip to content
Brand Logo

The digital town square for the concert band community.

Connect with local ensembles, trade repertoire insights, and keep the pulse of the wind band world.

  • hasambaH

    🛠️ Tool

    World tool dfir mcp duckdb hayabusa
    1
    0 Votes
    1 Posts
    0 Views
    hasambaH
    ----------------️ Tool===================Opening: Mecha Hayabusa is a tool that bridges the Hayabusa Windows event log CSV output with large language models using the Model Context Protocol (MCP). The project aims to enable a structured, LLM-driven DFIR workflow rather than a simple free-text search over logs.Key Features:• Automatic ingestion of Hayabusa CSV timelines into a local DuckDB instance to enable fast, structured queries over large log datasets.• Read-only SQL execution against the logs table with built-in safety constraints to avoid destructive operations.• Cross-field search, dataset profiling, time-window summarization, and host-centric timeline assembly for focused investigations.• Extraction of Indicators of Compromise (IOCs), aggregation of rule titles, and parsing of Details fields from Hayabusa output.• Base64 PowerShell decoding and correlation routines to identify lateral movement patterns across hosts.• A dedicated investigation skill that codifies a DFIR workflow and supports standardized incident report generation in Japanese and English.Technical Implementation:Mecha Hayabusa converts Hayabusa CSV timelines into a local DuckDB database, exposing read-only query capabilities and structured summarization endpoints over an MCP-compatible HTTP transport. The system exposes dataset management (list, switch, unload), profiling endpoints, and specialized analysis primitives (IOC extraction, PowerShell decoding, lateral correlation). Integration with LLMs is mediated through MCP, allowing the model to orchestrate a sequence of analysis steps (triage, hypothesis development, host-level deep dives, and report generation) rather than returning isolated search hits.Use Cases:• Incident responders who need rapid host-centric timelines and cross-host correlation from exported Hayabusa results.• Threat hunters seeking automated ATT&CK tactic classification and IOC extraction from large CSV exports.• Organizations that want consistent, LLM-assisted incident reports in multiple languages, improving repeatability of DFIR workflows.Limitations:• Functionality depends on structured Hayabusa CSV exports; format deviations will reduce effectiveness.• The system performs read-only SQL and analysis; it is not designed for endpoint remediation or live collection.• Accuracy of natural-language summaries and report content depends on the connected LLM and its prompt/context handling.Closing:Mecha Hayabusa represents a targeted approach to integrating structured log storage (DuckDB) with LLM orchestration via MCP to operationalize repeatable DFIR investigations and report generation. #tool #DFIR #MCP #DuckDB #Hayabusa Source: https://github.com/Yamato-Security/mecha-hayabusa