The Cado Platform Full Export for Forensic Data Lakes

Previously we released a SIEM export feature which enabled security professionals to export a subset of events collected by the Cado platform. Most recently, we’ve expanded the platform’s feature set to support the ability to export everything that Cado knows about a system. Because the Cado platform processes every file on a system offline, in depth, this new feature enables security teams to further augment incident investigations with greater forensic detail and context than ever before.

This “firehose” export of any system (e.g. EC2/EKS/ECS/Azure Compute/Google Compute/On-Premise) contains everything a security analyst would ever want to know about a system. Some examples of the type of data that is exported include:

  • Normalized log and file access data
  • Detections for file content and log events
  • Parsed forensic artefacts for hundreds of types of files, e.g. Shimcache and btmp files
  • Files inside zip files inside tar files inside images, etc.
  • Memory of a system
  • And much more!

Exported data is sent to cloud storage, for import into your SIEM or data lake to be correlated with other data sources:

How to Drink From the Firehose

To turn this functionality on, just go to Settings -> SIEM and enable the export:

Cado can export in CEF Format:

As well as JSON Format:

    "macb": "M...",
    "source": "REG",
    "sourcetype": "Registry Key",
    "type": "Content Modification Time",
    "user": null,
    "host": "-",
    "short": "[HKEY_CURRENT_USER/AppEvents/Schemes/Apps/.Default/Notification.Proximity] (empty)",
    "inode": "-",
    "notes": "-",
    "format": "winreg/winreg_default",
    "extra": "",
    "sha256": "9473976b2769337ca9a7243bf1ceddb3335f9551e113240ebb0c53ae789878d5",
    "tag": null,
    "eventTime": 1610559005,
    "filePath": "/NTUSER.DAT"

For More

For more information on how to best take advantage of this new feature, check out the full technical documentation. If you have yet to get your hands on the Cado platform and want to get started, check out our 14-day free trial.

About Cado Security

Cado Security is the provider of the first cloud forensics and incident response platform. By leveraging the scale and speed of the cloud, the Cado platform automates forensic-level data capture and processing across cloud, container, and serverless environments. Only Cado empowers security teams to respond at cloud speed.