Skip to content
Product
Icon-Platform
Platform

Explore the core capabilities of the Cado Platform.

 Icon-Environments
Environments

Discover the broad support that the Cado platform offers.

 Icon-Integrations
Integrations

Learn how the Cado platform integrates into your broader ecosystem.
Solutions
Use Cases
Icon-Cross-Cloud Investigations
Cross Cloud Investigations

Respond to incidents identified in AWS, Azure, and GCP in a single pane of glass.

 Icon-Container-Investigations
Container & K8s Investigations

Perform container investigations in EKS, AKS, GKE, and Kubernetes.

 Icon-Endpoint-Triage
Endpoint Triage

Automate endpoint triage for immediate insights and quick escalation.

 Icon-BEC-Compromise
SaaS Investigations

Analyze critical SaaS logs to investigate Business Email Compromise.

 Icon-Incident-Containment
Cloud Detection & Response (CDR)

Marry threat detection with forensic context to expedite response.

Icon-Evidence-Preservation
Evidence Preservation

Capture data immediately and preserve it before it disappears.
Cado For
DFIR
SOC
MSSPs
Partners
Government
Resources
Icon-Report
All Resources

Explore Cado Security's entire content library.

 Icon-Blog
Blog

Timely commentary from the Cado Security team.

 Icon-Playbook
Playbooks

Best practices for investigating and responding to threats.

Icon-Cheat-Sheet
Cheat Sheets

Quick tips for investigating and responding to incidents.

 Icon-News
News

The latest Cado company announcements, press, and more.

 Icon-Community
Community

Access to our free edition of the Cado platform.

 Icon-documentation
Documentation

Technical documentation on how to best leverage the Cado platform.

 White Paper 80x80
Wiki

Everything you need to know about cloud security and cloud forensics.

Company
Icon-About
About

Learn more about the Cado Security mission, vision, and team.

 Icon-Careers
Careers

Check out current career opportunities at Cado Security.

 Icon-Incidident-Response Preparedness-II
Cado Security Labs

The research and development division at Cado Security
Get a Demo
    Get a Demo
      curve design on left cloud image

      The Cado Platform Full Export for Forensic Data Lakes

      Written by: jbowen@cadosecurity.com

      Previously we released a SIEM export feature which enabled security professionals to export a subset of events collected by the Cado platform. Most recently, we've expanded the platform's feature set to support the ability to export everything that Cado knows about a system. Because the Cado platform processes every file on a system offline, in depth, this new feature enables security teams to further augment incident investigations with greater forensic detail and context than ever before.

      This “firehose” export of any system (e.g. EC2/EKS/ECS/Azure Compute/Google Compute/On-Premise) contains everything a security analyst would ever want to know about a system. Some examples of the type of data that is exported include:

      • Normalized log and file access data

      • Detections for file content and log events

      • Parsed forensic artefacts for hundreds of types of files, e.g. Shimcache and btmp files

      • Files inside zip files inside tar files inside images, etc.

      • Memory of a system

      • And much more!

      Exported data is sent to cloud storage, for import into your SIEM or data lake to be correlated with other data sources:

      How to Drink From the Firehose

      To turn this functionality on, just go to Settings -> SIEM and enable the export:

      Cado can export in CEF Format:

      As well as JSON Format:

      {
      
    "macb": "M...",
      
    "source": "REG",
      
    "sourcetype": "Registry Key",
      
    "type": "Content Modification Time",
      
    "user": null,
      
    "host": "-",
      
    "short": "[HKEY_CURRENT_USER/AppEvents/Schemes/Apps/.Default/Notification.Proximity] (empty)",
      
    "inode": "-",
      
    "notes": "-",
      
    "format": "winreg/winreg_default",
      
    "extra": "",
      
    "sha256": "9473976b2769337ca9a7243bf1ceddb3335f9551e113240ebb0c53ae789878d5",
      
    "tag": null,
      
    "eventTime": 1610559005,
      
    "filePath": "/NTUSER.DAT"
      
}

      For More

      For more information on how to best take advantage of this new feature, check out the full technical documentation. If you have yet to get your hands on the Cado platform and want to get started, check out our 14-day free trial.

      Tag(s): Cloud Investigations | Announcements

      More from the blog

      View All Posts
      Event Recap icon
      blog icon Event Recap
      Uncovering Threats with Cado Security: Highlights from the October 30th CTF
      November 6, 2024

      On October 30th, Cado Security hosted an engaging Capture the Flag (CTF) event, offering cybersecurity professionals an...

      Continue Reading
      News icon
      blog icon News
      Cado Security Announces New Integration with CrowdStrike to Accelerate Forensics and Incident Response
      February 7, 2024

      Today we're excited to announce the integration between Cado Security's cloud forensics and incident response platform and...

      Continue Reading
      blog post icon
      Investigating AWS EC2 Compromise CTF by Cado Security
      November 6, 2023

      Cybersecurity threats are constantly evolving, and staying ahead of the game requires continuous learning and hands-on...

      Continue Reading