Skip to main content

SIEM Integration

SIEM (Security Information and Event Management) is a tool that provides real-time analysis of security events generated by applications and network hardware - an essential capability for SecOps teams to correlate events and logs from different systems and manage risks more wisely. The integration with the Cado platform leverages the power of SIEM systems with Cado’s unique forensics value in the cloud.

The processed timeline from Cado will be converted to a standard format (CEF) so it can be universally read by SIEM systems. It will also be exported in Cado's custom Json format (CadoJson) which is better parsed by some SIEMs such as Splunk and Sentinel.

The CEF and JSON file will then be uploaded to your AWS S3 bucket and folder of choice.

You can configure your SIEM system to automatically check for new files in the S3 bucket and to add them to your SIEM system automatically.

Getting Started

Before you can export the timeline you need to enable SIEM integration found under Settings -> Platform Settings -> Integrations -> SIEM. After it is enabled you will be asked to set the S3 bucket and S3 folder you wish for the timeline to be exported to.

SIEM Settings in Cado

When enabled whenever you import an evidence item, the timeline will be automatically converted and uploaded to S3. You then need to configure your SIEM system to watch the folder for any new files uploaded so they can be automatically added to your SIEM.

Cado CEF Standard

This is a sample CEF log that can be generated by Cado:

CEF:0|CadoSecurity|CadoResponse|1.0.2|0|Content Modification Time|10|alarm=True evidence_id=2 macb=M... source=FILE eventTime=1595194940 filePath=/tmp/file.txt eventId=Q5FBqHwBX9dvp1T5IsHT msg=Malicious File Detected: cryptomining_malware_wannamine

The log follows the below standard:

CEF:0|CadoSecurity|CadoResponse|Version|Signature ID|Name|Severity|Extension

The extension part of the message is a placeholder for additional fields that are represented by key-value pairs. The keys are part of a predefined set and are outlined below.


eventTime890430600intUnix timestamp of event.
sourceREGstrMore specific subtype of source.
sourcetypeLOGstrThe type of the file or data that produced this event.
typeLast Time Executedstr; separated list of event types, e.g. Last Executed Time, Updated Time, Content Modification Time, Creation Time.
filePath/Users/nromanoff/NTUSER.DATstrThe path of the file associated with this event.
shortExecutable in suspicious locationstrShort text providing additional data from raw event.
evidence_id1intID of evidence item in Response.
alarm_severity1intSeverity of event based on detections. Malicious 1, Suspicious 3, Other 10.
parent/Users/nromanoffstrThe path of the file associated with this event.
macb.A..strMACB (Modification, Access, Change, Birth) group representation.
susernromanoffstrUser associated with the event.
hostEC2AMAZ-T80EJE1strHost name associated with the event.
version2strField in log2timeline CSV.
filename_strippedUsers nromanoff NTUSER.DATstrName of the file associated with this event.
inode123strThe "inode" attribute if present in the event data, otherwise derived from the file system identifier (such as inode, MFT entry) in the path specification.
notesThis is something that should be further investigated.Union[str, List[Dict[str, Any]]]A list of notes the user has added to his event.
formatwinreg/userassiststrThe type of event.
extrafile_size: 5760; file_system_type: OS; is_allocated: TruestrLonger text, providing more raw data than short.
isFolderFalseboolIf this event relates to a folder.
domainSHIELDBASEstrDomain associated with the event.
source_hostname203.78.103.109strFor network connections, the hostname that it originated from.
destination_hostname194.61.24.102strFor network connections, the destination hostname.
tagExecutionstrTag representing type of event.
alarm_descriptionExecutable in suspicious locationstrDescription of the alarm in the event.
alarmTrueboolIf this event has an alarm associated with it.
executed_processC:/Users/Tdungan/AppData/Local/Temp/ install_reader10_en_air_gtbd_aih.exestrWhere we detect a process execution, the path of the executed file.
file_accessWindows Explorer.lnkstrHow the file was accessed.
super_shortA Process Was ExecutedstrSuper short text providing summary of event.
process_cwdPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/binstrFor memory evidence items, current working directory of event.
process_arguments/sbin/dhclient -q -lf /var/lib/dhclient/ -pf /var/run/ eth0strFor memory evidence items, command line arguments from event.
source_port443strFor memory evidence items, port of the source address.
destination_port443strFor memory evidence items, port of the destination address.
eventIdnEqI5nwBOI5t76pr_Z6gAnyID relating to the event generated in Cado Response.
evidence_nameimport_test.ddstrName of the evidence item imported into Cado Response.
query_suggestions[{'str_detected': 'install_reader10_en_air_gtbd_aih.exe', 'url': '?query\=install_reader10_en_air_gtbd_aih.exe'}]List[Dict[str, Any]]List of suggestions as to what to query next.
alarm_help_textReview the malware analysis playbook for advice on how to identify and respond to the malware.strInformation to help the user undertstand what the alarm is about and how to respond.
sha2569473976b2769337ca9a7243bf1ceddb3335f9551e113240ebb0c53ae789878d5strThe hash of the file originating the event.

CadoJson Format

The CadoJson format represents the same fields that Cado Response uses internally. The fields are the same as described above for CEF.

An example is provided below:

"macb": "M...",
"source": "REG",
"sourcetype": "Registry Key",
"type": "Content Modification Time",
"user": null,
"host": "-",
"short": "[HKEY_CURRENT_USER/AppEvents/Schemes/Apps/.Default/Notification.Proximity] (empty)",
"inode": "-",
"notes": "-",
"format": "winreg/winreg_default",
"extra": "",
"sha256": "9473976b2769337ca9a7243bf1ceddb3335f9551e113240ebb0c53ae789878d5",
"tag": null,
"eventTime": 1610559005,
"filePath": "/NTUSER.DAT"