Yamato Security Tools

Yamato Security's Ultimate Windows Event Log Configuration Guide For DFIR And Threat Hunting (especially for sigma users) github.com/Yamato-Securit… & github.com/Yamato-Securit…

Where do you download your Azure logs from for DFIR purposes?

Just updated Hayabusa (3.9.0) and Takajo (2.16.0) to support the new MITRE ATT&CK v19 version which changes "Defense Evasion" to "Stealth" and adds "Defense Impairment" in their tactics. Enjoy! github.com/Yamato-Securit… github.com/Yamato-Securit…

Current Hayabusa benchmarks for 2026 (on a M4 MBP): Files: ~50,000 Total size: ~170 GB Detection rules: ~4500 Output size: ~40 GB Processing time: 70 mins Total memory usage: ~8 GB

Released Hayabusa 3.8.0 with our first vulnerability fix! Many thanks to the team at mobasi.ai who found and privately disclosed this. Possible XSS in the HTML report if malicious JSON logs are used as input. github.com/Yamato-Securit…

Happy new year of the horse from Yamato Security! 🎉 🎍🧧 We are going to continue to provide DFIR and threat hunting resources this year as well. Thanks to all for your support and we wish everyone a great 2026!

**NEW** BHIS | Blog When investigating a security event on a Windows endpoint, what is your favorite Windows Event ID? Wrangling Windows Events Logs with Hayabusa and SOF-ELK (Part 2) by: @securecake Published: 10/01/2025 Learn more: blackhillsinfosec.com/wrangling-wind…

For those of you who like Japanese culture, ghosts and are IT nerds 😊 Happy Halloween! 🎃 github.com/Yamato-Securit…

Programmers blame “bugs” for the problems in their code — tiny insects wreaking havoc in their machines. How absurd! After years of research, I’ve uncovered the real truth: they’re not bugs at all, but Yōkai! I’ve published my findings in the IT Yōkai Collection, revealing the real spirits haunting your devices. Happy Halloween 👻💻🎃 github.com/Yamato-Securit…

Hayabusa 3.6.0! Bug fixes and easier to parse JSON/L data for SIEM ingestion. All thanks to Fukusuke Takahashi! I also re-wrote the SOF-ELK guide and provide a new logstash config file to import data so everything you want fits on one screen. Enjoy! github.com/Yamato-Securit…

Nice intro guide to importing Hayabusa results into SOF-ELK from Patterson Cake at BHIS! We are actually working on a big update and guide that will improve SIEM (especially SOF-ELK) log ingestion. Stay tuned! blackhillsinfosec.com/wrangling-wind…

Sneak preview of the Hayabusa MCP server.

Just updated our Yamato Security tools Hayabusa, Takajo and Suzaku for our upcoming showcase at Black Hat Arsenal USA in Vegas. All thanks to our contributors: Fukusuke Takahashi, Akira Nishikawa, James Takai, DustInDark and Akkuman! Hayabusa 3.4.0: github.com/Yamato-Securit… Takajo 2.11.0: github.com/Yamato-Securit… Suzaku 1.0.0: github.com/Yamato-Securit… We will be showcasing Hayabusa and Takajo on August 6th 3-4pm: #windows-fast-forensics-with-yamato-securitys-hayabusa-45629" target="_blank" rel="nofollow noopener">blackhat.com/us-25/arsenal/… and Suzaku on August 7th at 10-11am: #cloud-log-fast-forensics-with-yamato-securitys-suzaku-45630" target="_blank" rel="nofollow noopener">blackhat.com/us-25/arsenal/… Please stop by and say hi if you are attending Black Hat! Fukusuke Takahashi、Akira Nishikawa、James Takai、DustInDark、Akkumanのコントリビュータのお陰様で、大和セキュリティツールのHayabusa、Takajo、Suzakuをラスベガスで開催されるBlack Hat Arsenal USAでの展示会に向けて更新しました！ 8月6日15~16時にHayabusaとTakajoを展示します: #windows-fast-forensics-with-yamato-securitys-hayabusa-45629" target="_blank" rel="nofollow noopener">blackhat.com/us-25/arsenal/… また、8月7日10~11時にSuzakuを展示します: #cloud-log-fast-forensics-with-yamato-securitys-suzaku-45630" target="_blank" rel="nofollow noopener">blackhat.com/us-25/arsenal/… Black Hatにご参加の方は、ぜひお立ち寄りいただき、ご挨拶ください！

Just released Suzaku v1.0.0 with great native Sigma support for AWS CloudTrail logs. (Supports almost all field modifiers and all v2 correlation rules) github.com/Yamato-Securit… Come visit our booth at Black Hat Arsenal on Aug 7th if you are around! #cloud-log-fast-forensics-with-yamato-securitys-suzaku-45630" target="_blank" rel="nofollow noopener">blackhat.com/us-25/arsenal/…

Updates for Hayabusa, Takajo and Suzaku released recently at AUSCERT and SINCON. github.com/Yamato-Security While you will need to understand your AWS environment and account usage, Suzaku’s new aws-ct-summary command is great for finding compromised accounts!

Current lead developer for all Yamato Security tools Fukusuke Takahashi will be presenting at AUSCERT on the 22nd in Brisbane. Project leader Zach Mathis will have a 2 hour Hayabusa Kampung workshop at SINCON in Singapore on the 23rd! Stop by and say hi!

Cyber Triage now has Hayabusa integration. Very cool! To all the Hayabusa users out there, be sure to report any issues with rules so we can better tune them over time. cybertriage.com/blog/3-14-rele…

Thanks to tremendous dev work by Fukusuke Takahashi and DustInDark, we have our first alpha version release of Suzaku - "Hayabusa for cloud logs". Still lots to implement but the basic sigma detection is working for AWS CloudTrail logs so try it out and give us feedback on how we can improve it for those of you who do DFIR in the cloud. Enjoy! github.com/Yamato-Securit… 高橋福助さんとDustInDarkさんによる素晴らしい開発のおかげで、Suzaku（Hayabusaをクラウドログ用にしたもの）の最初のアルファ版をリリースすることができました！ まだ実装したい機能はたくさんありますが、AWS CloudTrailログに対する基本的なSigma検出は動作しています！ クラウドでDFIRを行っている皆さん、ぜひ使ってみて、改善点やご意見をフィードバックしてください。 エンジョイ〜

Forgot the most important part! The Laksa! 😇

New version of Hayabusa 3.1.1 "Laksa Release" just released thanks to Fukusuke Takahashi! Lots of minor bug fixes as well as extracting out OS information in the computer-metrics command. Enjoy! github.com/Yamato-Securit…

Yamato Security core developer Fukusuke Takahashi will be speaking at AUSCERT on May 22nd! We are currently working on a new tool to help audit and configure your event log settings so that you will have the logs you need when inevitable incidents occur. conference.auscert.org.au/program/