Search:

Chapter 3

Getting Started

Comae CLI

Get Started

In general, follow these steps to start using Comae CLI.

  • Get yourself authenticated with Comae.

PowerShell for Windows

This repository contains a set of PowerShell cmdlets for developers and administrators to develop, deploy and manage Comae Stardust applications.

  • For documentation on how to build and deploy applications to Comae please see the Comae Documentation Center.
  • For suggesting improvements, join our improvement discussion #1.

Features

  • Create

    • Create your dump file New-ComaeDumpFile
  • Upload

    • Upload your dump file Send-ComaeDumpFile to the Comae platform.
  • Microsoft Azure / Amazon Aws / Active Directory

    • Invoke-ComaeAwsVMWinAnalyze
    • Invoke-ComaeAzVMWinAnalyze
    • Invoke-ComaeADWinAnalyze

For detail descriptions and examples of the cmdlets, type

  • Get-Help Comae to get all the cmdlets.
  • Get-Help <cmdlet name> to get the details of a specific cmdlet.

Installation

    Expand-Archive -Path Comae-Toolkit.zip -Force
    Set-Location -Path  ".\Comae-Toolkit"
    Import-Module .\Comae.psm1

Using Comae PowerShell CLI

Memory images / Dump files

# Generate the Token from the UI interface of the Comae Platform.
$Token = "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"

# Create a memory image
$DumpFile = New-ComaeDumpFile -Directory $rootDir\Dumps -IsCompress

# Upload a memory image
$DumpFile = New-ComaeDumpFile -Directory $rootDir\Dumps -IsCompress
Send-ComaeDumpFile -Token $Token -Path $DumpFile -ItemType File -Hostname $Hostname -OrganizationId $OrganizationId -CaseId $CaseId

Source Code

  1. Download the source code from GitHub repo

Supported PowerShell Versions

Find Your Way

You can use the following cmdlet to find out all the cmdlets for your environment

# Return all the cmdlets for Comae
Get-Command *Comae*

Contribute Code or Provide Feedback

If you encounter any bugs with the library please file an issue in the Issues section of the project.

Learn More

Get-ComaeCases

Get-ComaeCases

Synopsis

Get the list of cases the token belongs to.

Syntax

Get-ComaeCases [-Token] <String> [[-OrganizationId] <String>] [[-Hostname] <String>] [<CommonParameters>]

Parameters

NameAliasDescriptionRequired?Pipeline InputDefault Value
TokenBearer token generated by the user on via the user interface of the Comae platform.truefalse
OrganizationIdOptional. If this parameter is null or empty, all the cases from all the organization will be returned.falsefalse
HostnameDefault hostname is beta.comae.tech but this can be changed for private instances.falsefalsebeta.comae.tech

Examples

EXAMPLE 1 Get list

PS C:\\\> $Cases = Get-ComaeCases -Token $Token

Get-ComaeOrganizations

Get-ComaeOrganizations

Synopsis

Get the list of organizations the token belongs to.

Syntax

Get-ComaeOrganizations [-Token] <String> [[-Hostname] <String>] [<CommonParameters>]

Parameters

NameAliasDescriptionRequired?Pipeline InputDefault Value
TokenBearer token generated by the user on via the user interface of the Comae platform.truefalse
HostnameDefault hostname is beta.comae.tech but this can be changed for private instances.falsefalsebeta.comae.tech

Examples

EXAMPLE 1 Get list

PS C:\\\> $Organizations = Get-ComaeOrganizations -Token $Token

Get-ComaeToolkitPath

Get-ComaeToolkitPath

Synopsis

Return the path to Comae Toolkit executables.

Syntax

Get-ComaeToolkitPath [<CommonParameters>]

Examples

EXAMPLE 1 Return value

PS C:\\\> Get-ComaeToolkitPath

Invoke-ComaeADWinAnalyze

Invoke-ComaeADWinAnalyze

Synopsis

Invoke DumpIt on a remote Windows AD instance, and send it to the Comae platform.

Syntax

Invoke-ComaeADWinAnalyze [-Token] <String> [-OrganizationId] <String> [-CaseId] <String> [-ComputerName] <String> 
[[-Hostname] <String>] [<CommonParameters>]

Parameters

NameAliasDescriptionRequired?Pipeline InputDefault Value
TokenBearer token generated by the user on via the user interface of the Comae platform.truefalse
OrganizationIdThe organization id can be retrieved in the user interface or by calling Get-ComaeOrganizations.truefalse
CaseIdThe case id can be retrieved in the user interface or by calling Get-ComaeCases.truefalse
ComputerNameThe name of the machine in the Active Directory domain.truefalse
HostnameDefault hostname is beta.comae.tech but this can be changed for private instances.falsefalsebeta.comae.tech

Examples

EXAMPLE 1 Invoke a Active Directory run command with overriding the script ‘ComaeRespond.ps1’ on a Windows VM machine name ‘$machinename.

PS C:\\\> Invoke-ComaeAwsVMWinAnalyze -Token $Token -OrganizationId $OrganizationId -CaseId $CaseId  
-ComputerName $machinename.

Invoke-ComaeAwsVMWinAnalyze

Invoke-ComaeAwsVMWinAnalyze

Synopsis

Invoke DumpIt on a remote Windows Aws Virtual Machine, and send it to the Comae platform.

Syntax

Invoke-ComaeAwsVMWinAnalyze [-Token] <String> [-OrganizationId] <String> [-CaseId] <String> [[-AccessKey] <String>] 
[[-SecretKey] <String>] [-Region] <String> [-InstanceId] <String> [[-Hostname] <String>] [<CommonParameters>]

Parameters

NameAliasDescriptionRequired?Pipeline InputDefault Value
TokenBearer token generated by the user on via the user interface of the Comae platform.truefalse
OrganizationIdThe organization id can be retrieved in the user interface or by calling Get-ComaeOrganizations.truefalse
CaseIdThe case id can be retrieved in the user interface or by calling Get-ComaeCases.truefalse
AccessKeyAws Access Key (optional). Only used if Get-AWSCredentials is null.falsefalse
SecretKeyAws Secret Key (optional). Only used if Get-AWSCredentials is null.falsefalse
RegionThe region where the Aws virtual machine belongs to.truefalse
InstanceIdThe instance id of the Aws virtual machine.truefalse
HostnameDefault hostname is beta.comae.tech but this can be changed for private instances.falsefalsebeta.comae.tech

Examples

EXAMPLE 1 Invoke a SSM run command with overriding the script ‘ComaeRespond.ps1’ on a Windows VM instance id ‘$instanceid’ in region ‘$region’.

PS C:\\\> Invoke-ComaeAwsVMWinAnalyze -Token $Token -OrganizationId $OrganizationId -CaseId $CaseId  
-Region $region -InstanceId $instanceid

Invoke-ComaeAzVMWinAnalyze

Invoke-ComaeAzVMWinAnalyze

Synopsis

Invoke DumpIt on a remote Windows Azure Virtual Machine, and send it to the Comae platform.

Syntax

Invoke-ComaeAzVMWinAnalyze [-Token] <String> [-OrganizationId] <String> [-CaseId] <String> [-ResourceGroupName] 
<String> [-VMName] <String> [[-Hostname] <String>] [<CommonParameters>]

Parameters

NameAliasDescriptionRequired?Pipeline InputDefault Value
TokenBearer token generated by the user on via the user interface of the Comae platform.truefalse
OrganizationIdThe organization id can be retrieved in the user interface or by calling Get-ComaeOrganizations.truefalse
CaseIdThe case id can be retrieved in the user interface or by calling Get-ComaeCases.truefalse
ResourceGroupNameThe resource group name where the Azure virtual machine belongs to.truefalse
VMNameThe name of the Azure virtual machine.truefalse
HostnameDefault hostname is beta.comae.tech but this can be changed for private instances.falsefalsebeta.comae.tech

Examples

EXAMPLE 1 Invoke a run command ‘RunPowerShellScript’ with overriding the script ‘ComaeRespond.ps1’ on a Windows VM named ‘$VMName’ in resource group ‘$rgname’.

PS C:\\\> Invoke-ComaeAzVMWinAnalyze -Token $Token -OrganizationId $OrganizationId -CaseId $CaseId  
-ResourceGroupName $rgname -VMName $VMName

New-ComaeDumpFile

New-ComaeDumpFile

Synopsis

Create a full memory Microsoft crash dump.

Syntax

New-ComaeDumpFile [-Directory] <String> [-IsCompress] [<CommonParameters>]

Parameters

NameAliasDescriptionRequired?Pipeline InputDefault Value
DirectoryDestination folder for the output file.truefalse
IsCompressEnables compression for the output file. Useful for large memory images. Memory images can be uncompressed using z2dmp available in the toolkit, but also on GitHub as an opensource software in Rust (https://github.com/comaeio/z2dmp-rust/) and C (https://github.com/comaeio/z2dmp/)falsefalseFalse

Examples

EXAMPLE 1 Creates a compressed memory image into the given target folder.

PS C:\\\> New-ComaeDumpFile -Directory C:\\Dumps -IsCompress

Send-ComaeDumpFile

Send-ComaeDumpFile

Synopsis

Send a memory file to the Comae Platform.

Syntax

Send-ComaeDumpFile [-Token] <String> [-Path] <String> [-ItemType] <String> [-OrganizationId] <String> [-CaseId] 
<String> [[-Hostname] <String>] [<CommonParameters>]

Parameters

NameAliasDescriptionRequired?Pipeline InputDefault Value
TokenBearer token generated by the user on via the user interface of the Comae platform.truefalse
PathPath to memory image generated by DumpIt.truefalse
ItemTypeFile (default).truefalseFile
OrganizationIdThe organization id can be retrieved in the user interface or by calling Get-ComaeOrganizations.truefalse
CaseIdThe case id can be retrieved in the user interface or by calling Get-ComaeCases.truefalse
HostnameDefault hostname is beta.comae.tech but this can be changed for private instances.falsefalsebeta.comae.tech

Examples

EXAMPLE 1 Send a memory image to a custom Comae endpoint.

PS C:\\\> Send-ComaeDumpFile -Hostname $Hostname -Token $Token -ItemType File  
-OrganizationId $OrganizationId -CaseId $CaseId -Path $FileDump

Send-ComaeSnapshotFile

Send-ComaeSnapshotFile

Synopsis

Send a memory snapshot archive to the Comae Platform.

Syntax

Send-ComaeSnapshotFile [-Token] <String> [-Path] <String> [-ItemType] <String> [-OrganizationId] <String> [-CaseId] 
<String> [[-Hostname] <String>] [<CommonParameters>]

Parameters

NameAliasDescriptionRequired?Pipeline InputDefault Value
TokenBearer token generated by the user on via the user interface of the Comae platform.truefalse
PathPath to memory image generated by DumpIt.truefalse
OrganizationIdThe organization id can be retrieved in the user interface or by calling Get-ComaeOrganizations.truefalse
CaseIdThe case id can be retrieved in the user interface or by calling Get-ComaeCases.truefalse
HostnameDefault hostname is beta.comae.tech but this can be changed for private instances.falsefalsebeta.comae.tech

Examples

EXAMPLE 1 Send a memory snapshot archive to a custom Comae endpoint.

PS C:\\\> Send-ComaeSnapshotFile -Hostname $Hostname -Token $Token  
-OrganizationId $OrganizationId -CaseId $CaseId -Path $FileDump