Home
Suzaku (朱雀) is a Sigma-based threat hunting and fast forensics timeline generator for cloud logs, created by Yamato Security and written in Rust. Imagine Hayabusa, but for cloud logs instead of Windows event logs — with native Sigma support for AWS CloudTrail (Azure and GCP planned).
Why Suzaku?¶
-
Cloud-native Sigma
Native Sigma detection for cloud logs — AWS CloudTrail today, Azure and GCP planned. Correlation rules and nearly all field modifiers supported.
-
Fast forensics timelines
Turn thousands of noisy cloud API calls into a single, easy-to-analyze DFIR timeline with only the events you need.
-
Blazing fast in Rust
Memory-safe, multi-threaded and standalone. Scans
.jsonand compressed.json.gzlogs on Windows, Linux and macOS. -
Attacker summaries
Summarize API usage and attacker metrics — source IPs, geo-location, regions, user agents — to pivot quickly.
-
Behavior detection
Surface abnormal activity without relying on signatures, so you don't miss novel attacks.
-
Flexible output
Save results to CSV, JSON and JSONL for analysis in your tool of choice.
Quick links¶
-
New here?
Start with the Overview, then head to Getting Started to download and run Suzaku.
-
Working with the CLI?
Browse the Command List and the per-command reference for Analysis, DFIR Summary and DFIR Timeline commands.
-
Going further?
Explore Native Sigma Support, the Companion Projects, and how to contribute.
