Skip to main content

Timeline Search

The Cado platform includes an advanced search interface which supports complex queries.

Cado allows you to filter your search based upon 'facets', like event severity, or associated user name, file, source/destination IP address

Faceted Search

For long lists of facets, you can search and sort the list of facets

Faceted List

Basic Searches

You can also use the search bar to craft specific searches using search strings

Plain search terms

Providing plain search terms will search across all fields, for example: foo

You can quote terms containing spaces: "foo bar"


You can search a specific field by prepending it to the search term: user: Chris OR extra: "foo bar"


You can restrict a field to a range of values: file_size: [1024 TO 8196]

Building complex queries

You can build complex queries using AND, OR and NOT to combine terms, and brackets to group ():

For example: alarm_severity: [0 TO 5] AND (user: "Chris" OR user: "James") AND NOT filename: "/foo/bar.txt"


Note that without brackets, ANDs will bind before ORs. This means that user: "Chris" AND user: "James" OR filename: "/foo/bar.txt" is searched as (user: "Chris" AND user: "James") OR filename: "/foo/bar.txt".


Searchable fields

macbkeyword4 character string which encoding MACB information for this event. An M in position 0 indicates this is a Modified event and a . represents a non-modified event. e.g. M..B indicates modified and birth.
sourcekeywordThe type of the file or data that produced this event e.g. EVT, CLOUDTRAIL, FILE, JAVA_IDX, LOG.
sourcetypekeywordMore specific subtype of source
typekeyword; separated list of event types, e.g. Last Executed Time, Updated Time, Content Modification Time, Creation Time.
userkeywordUser associated with the event
hostkeywordHost name associated with the event
filenamespecialThe path of the file associated with this event
full_filenamekeywordThe full path of the file associated with this event, supports regex and must match entire path
inodekeywordThe inode number of the file associated with this event
source_hostnamekeywordFor network connections, the hostname that it originated from
destination_hostnamekeywordFor network connections, the destination hostname
tagkeywordTag representing type of event e.g. Network Logon, File Access, Execution
executed_processkeywordWhere we detect a process execution, the path of the executed file
shorttextShort text providing additional data from raw event
extratextLonger text, providing more raw data than short
alarm_severityintSeverity of event based on detections. Malicious 1, Suspcious 3, Other 10
isFolderbooleanWhether an event is a folder.
evidence_idintID of evidence item
timestampintUnix timestamp of event
evidence_idintthe id of a specific evidence to search within
file_sizeintsize of file associated with this event
sha256textsha256 of the file associated with this event
stringstextStrings extracted from file associated with this event
is_starredboolWhether an event is starred
for_reportboolWhether an event is included in the report
alarm_descriptionkeywordShort description explaining the reason for an alarm
alarm_attackkeywordMitre attack code
attribute_namekeyword$STANDARD_INFORMATION / $FILENAME / null

Fields of type int or keyword require the search term to match exactly in order to return a result. For example, for an event with user equal to chris, the search term:

  • user: chris matches
  • user: ch* matches
  • user: ch does not match

Fields of type keyword support wildcard characters. Use ? as a single-character wildcard and * for any number of characters.

Fields of type text do not require a full match. E.g. searching for strings: content will return the event with the following strings data: This is some example content.