SIEM Integration
SIEM (Security Information and Event Management) is a tool that provides real-time analysis of security events generated by applications and network hardware - an essential capability for SecOps teams to correlate events and logs from different systems and manage risks more wisely. The integration with the Cado platform leverages the power of SIEM systems with Cado’s unique forensics value in the cloud.
The processed timeline from Cado will be converted to a standard format (CEF) so it can be universally read by SIEM systems. It will also be exported in Cado's custom Json format (CadoJson) which is better parsed by some SIEMs such as Splunk and Sentinel.
The CEF and JSON file will then be uploaded to your AWS S3 bucket and folder of choice.
You can configure your SIEM system to automatically check for new files in the S3 bucket and to add them to your SIEM system automatically.
Getting Started
Before you can export the timeline you need to enable SIEM integration found under Settings -> Platform Settings -> Integrations -> SIEM. After it is enabled you will be asked to set the S3 bucket and S3 folder you wish for the timeline to be exported to.
When enabled whenever you import an evidence item, the timeline will be automatically converted and uploaded to S3. You then need to configure your SIEM system to watch the folder for any new files uploaded so they can be automatically added to your SIEM.
Cado CEF Standard
This is a sample CEF log that can be generated by Cado:
CEF:0|CadoSecurity|CadoResponse|1.0.2|0|Content Modification Time|10|alarm=True evidence_id=2 evidence_name=aws_compromise.zip macb=M... source=FILE eventTime=1595194940 filePath=/tmp/file.txt eventId=Q5FBqHwBX9dvp1T5IsHT msg=Malicious File Detected: cryptomining_malware_wannamine
The log follows the below standard:
CEF:0|CadoSecurity|CadoResponse|Version|Signature ID|Name|Severity|Extension
The extension part of the message is a placeholder for additional fields that are represented by key-value pairs. The keys are part of a predefined set and are outlined below.
Extensions
| EXTENSION FIELD | EXAMPLE VALUE | TYPE | FIELD DESCRIPTION |
|---|---|---|---|
| eventTime | 890430600 | int | Unix timestamp of event. |
| source | REG | str | More specific subtype of source. |
| sourcetype | LOG | str | The type of the file or data that produced this event. |
| type | Last Time Executed | str | ; separated list of event types, e.g. Last Executed Time, Updated Time, Content Modification Time, Creation Time. |
| filePath | /Users/nromanoff/NTUSER.DAT | str | The path of the file associated with this event. |
| short | Executable in suspicious location | str | Short text providing additional data from raw event. |
| evidence_id | 1 | int | ID of evidence item in Response. |
| alarm_severity | 1 | int | Severity of event based on detections. Malicious 1, Suspicious 3, Other 10. |
| parent | /Users/nromanoff | str | The path of the file associated with this event. |
| macb | .A.. | str | MACB (Modification, Access, Change, Birth) group representation. |
| suser | nromanoff | str | User associated with the event. |
| host | EC2AMAZ-T80EJE1 | str | Host name associated with the event. |
| version | 2 | str | Field in log2timeline CSV. |
| filename_stripped | Users nromanoff NTUSER.DAT | str | Name of the file associated with this event. |
| inode | 123 | str | The "inode" attribute if present in the event data, otherwise derived from the file system identifier (such as inode, MFT entry) in the path specification. |
| notes | This is something that should be further investigated. | Union[str, List[Dict[str, Any]]] | A list of notes the user has added to his event. |
| format | winreg/userassist | str | The type of event. |
| extra | file_size: 5760; file_system_type: OS; is_allocated: True | str | Longer text, providing more raw data than short. |
| isFolder | False | bool | If this event relates to a folder. |
| domain | SHIELDBASE | str | Domain associated with the event. |
| source_hostname | 203.78.103.109 | str | For network connections, the hostname that it originated from. |
| destination_hostname | 194.61.24.102 | str | For network connections, the destination hostname. |
| tag | Execution | str | Tag representing type of event. |
| alarm_description | Executable in suspicious location | str | Description of the alarm in the event. |
| alarm | True | bool | If this event has an alarm associated with it. |
| executed_process | C:/Users/Tdungan/AppData/Local/Temp/ install_reader10_en_air_gtbd_aih.exe | str | Where we detect a process execution, the path of the executed file. |
| file_access | Windows Explorer.lnk | str | How the file was accessed. |
| super_short | A Process Was Executed | str | Super short text providing summary of event. |
| process_cwd | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin | str | For memory evidence items, current working directory of event. |
| process_arguments | /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid eth0 | str | For memory evidence items, command line arguments from event. |
| source_port | 443 | str | For memory evidence items, port of the source address. |
| destination_port | 443 | str | For memory evidence items, port of the destination address. |
| eventId | nEqI5nwBOI5t76pr_Z6g | Any | ID relating to the event generated in Cado Response. |
| evidence_name | import_test.dd | str | Name of the evidence item imported into Cado Response. |
| query_suggestions | [{'str_detected': 'install_reader10_en_air_gtbd_aih.exe', 'url': '?query\=install_reader10_en_air_gtbd_aih.exe'}] | List[Dict[str, Any]] | List of suggestions as to what to query next. |
| alarm_help_text | Review the malware analysis playbook for advice on how to identify and respond to the malware. | str | Information to help the user undertstand what the alarm is about and how to respond. |
| sha256 | 9473976b2769337ca9a7243bf1ceddb3335f9551e113240ebb0c53ae789878d5 | str | The hash of the file originating the event. |
CadoJson Format
The CadoJson format represents the same fields that Cado Response uses internally. The fields are the same as described above for CEF.
An example is provided below:
{
"macb": "M...",
"source": "REG",
"sourcetype": "Registry Key",
"type": "Content Modification Time",
"user": null,
"host": "-",
"short": "[HKEY_CURRENT_USER/AppEvents/Schemes/Apps/.Default/Notification.Proximity] (empty)",
"inode": "-",
"notes": "-",
"format": "winreg/winreg_default",
"extra": "",
"sha256": "9473976b2769337ca9a7243bf1ceddb3335f9551e113240ebb0c53ae789878d5",
"tag": null,
"eventTime": 1610559005,
"filePath": "/NTUSER.DAT"
}