Cloud Incident Response Blog | Cado Security

The Cado Platform Full Export for Forensic Data Lakes

Written by jbowen@cadosecurity.com | Apr 17, 2023 6:53:17 PM

Previously we released a SIEM export feature which enabled security professionals to export a subset of events collected by the Cado platform. Most recently, we've expanded the platform's feature set to support the ability to export everything that Cado knows about a system. Because the Cado platform processes every file on a system offline, in depth, this new feature enables security teams to further augment incident investigations with greater forensic detail and context than ever before.

This “firehose” export of any system (e.g. EC2/EKS/ECS/Azure Compute/Google Compute/On-Premise) contains everything a security analyst would ever want to know about a system. Some examples of the type of data that is exported include:

  • Normalized log and file access data
  • Detections for file content and log events
  • Parsed forensic artefacts for hundreds of types of files, e.g. Shimcache and btmp files
  • Files inside zip files inside tar files inside images, etc.
  • Memory of a system
  • And much more!

Exported data is sent to cloud storage, for import into your SIEM or data lake to be correlated with other data sources:

How to Drink From the Firehose

To turn this functionality on, just go to Settings -> SIEM and enable the export:

Cado can export in CEF Format:

As well as JSON Format:

{
"macb": "M...",
"source": "REG",
"sourcetype": "Registry Key",
"type": "Content Modification Time",
"user": null,
"host": "-",
"short": "[HKEY_CURRENT_USER/AppEvents/Schemes/Apps/.Default/Notification.Proximity] (empty)",
"inode": "-",
"notes": "-",
"format": "winreg/winreg_default",
"extra": "",
"sha256": "9473976b2769337ca9a7243bf1ceddb3335f9551e113240ebb0c53ae789878d5",
"tag": null,
"eventTime": 1610559005,
"filePath": "/NTUSER.DAT"
}

For More

For more information on how to best take advantage of this new feature, check out the full technical documentation. If you have yet to get your hands on the Cado platform and want to get started, check out our 14-day free trial.