Search:

Create playbooks

Detections

The memory queries in Comae platform enable detections to ask specific question to a single or multiple memory snapshots.

Comae platform comes with pre-built rules which we are using in this section as example to demonstrate how this feature can be leveraged.

Queries can be written in two different ways:

  • SQL-like
  • GraphQL

You can learn more and find more examples of playbooks and queries on our GitHub playbook repository.

Get Started

Examples

FieldDescription
nameName for the playbook. Displayed in the UI.
descriptionShort summary of what this playbook does.
authorInformation related to the author. Useful for sharing.
referencesRelated links or references to learn more about a threat or technique addressed by the playbook.
dateCreation date.
modifiedLast modified date.
tagsGeneric tags. (Ignored)
queryThis can be an array of queries. Usually used as a single one.
query.threatValue can either be malicious or suspicious
query.mitreCorresponding MITRE ATT&CK tag. This is used by the UI for the threat mapping visualization.
query.sqlYou can have either SQL or GQL queries. SQL has priority over GQL.
query.gqlYou can have either SQL or GQL queries. SQL has priority over GQL.
name = "Process Injection (T1055)"

description = "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges."
author = "Matt Suiche (@msuiche), Radovan Stevanovic"

references = [
  "https://attack.mitre.org/techniques/T1055/012/"
]
date = 2022-08-20
modified = 2022-08-23

tags = ["attack.privilege_escalation"]

[[query]]
threat = "malicious"
mitre = ["T1055.011"]
sql="""
select distinct p.processId as PID, p.parentProcessId as PPID,  p.imageFileName as processName, p.commandLine as commandLine, v.startingVpn as startingVpn
  from `Processes/vadObject` as v
  left join `Processes/processObject` as p
  on v.identity=p.identity
  where  v.isImage = true  and  v.protection = 'MM_EXECUTE_READWRITE'
"""

# gql="""
# vadObject(query: {
#    isImage: {is:true},
#    protection:{ is:EXECUTE_READWRITE}
#  }) {
#    processObject {
#      processId
#      commandLine
#      parentProcessId
#      processName
#    }
#    startingVpn
#  }
# """