What’s New in the Comae Beta: Playbooks & APIs
As part of the Comae beta program (currently open in Magnet Idea Lab), we are regularly introducing new features for the community of testers to provide feedback on. These new features, in addition to previously existing—and potentially lesser known—features already in Comae will help make deep dive memory analysis more accessible, automated, and scalable.
Want to know more about Comae memory queries? We are hosting an upcoming webinar on September 21 that will show how they can be used as detection playbooks for threat-hunting and incident response. If you can’t make the webinar live, sign up and receive a link to view a recording afterwards.
Playbooks
Following the steps of other security players, we are opening a new GitHub repository of an ongoing collection of Comae memory-based detection playbooks.
Currently, the logic is focused on Windows, but we have plans to extend to other operating systems next year. Those playbooks can contain either SQL-like or GraphQL Comae memory queries, and associate results to MITRE ATT&CK tag ids for comprehensive abstraction of results. This format will be improved over time and in a transparent manner.
A great thing about Comae memory queries is that existing open-source behavior-focused rules such as SIGMA, or even Elastic EQL, can be leveraged and ported to be memory-focused—providing analysts a new dimension of coverage for signatures by being able to have behavior-based signatures for memory instead of solely relying on regular-expression based signatures such as YARA-file. This approach offers users new, more dynamic, scenarios for blue teams that were not possible before.
More information about the format of playbooks can be found on the Comae Documentation Center.
APIs, Scripting, Cmdlet
In addition to the initial release of our playbooks, we are also publishing our new APIs to enable orchestration and integration with third parties. The initial API SDK is currently available in both Python & PowerShell (CmdLet) through our public repository comae-cli.
The first category of API is to interact with the Comae platform to list organizations, cases but also to send memory images (.dmp files) directly to the platform. This enables scenarios where you can perform remote acquisition on a machine by dropping the Comae Toolkit which contains the new PowerShell cmdlet to a target machine, perform a memory acquisition and send it to the Comae platform.
In the case of Cloud-based virtual machines, an existing deployment mechanism can be leveraged such as AWS Systems Manager Agent (SSM Agent), and RunPowerShellScript on Microsoft Azure.
More information about our PowerShell CmdLet can be found on the Comae Documentation Center.
Join the Comae Beta to Provide Your Feedback
As we continue our efforts in building the most comprehensive analysis platform for deep dive analysis, we welcome feedback and contributions from our users. Feedback can be addressed directly through Github issues for comae-cli and playbooks.
If you are not a user yet, you can join the Comae Beta by applying over at Magnet Idea Lab.