Retrieve running processes with the Get Running Processes workflow

The Security Incident Response - Get Running Processes workflow retrieves the running processes of a configuration item when added to a Windows-based security incident in the Analysis state.

Before you begin

Role required: sn_si.analyst

About this task

For new security incidents, the workflow runs automatically when you submit the incident with a selected configuration item and when the state automatically changes to Analysis. If the incident remains in the Draft state, the workflow does not run.

Existing security incidents automatically update when in the Analysis state and a new configuration item is added.

Note: For information on using the Get Running Processes via WMI activity in workflows, see Retrieve running processes with the Get Running Processes workflow.
Security Incident Response - Get Running Processes workflow diagram

Procedure

  1. Open a security incident.
  2. Update the State to Analysis, if necessary.
  3. Add a configuration item (computer, server, or similar).
  4. Click Update.
    Security Incident Response Orchestration provides running process information in the Related Link > Security Incident Enrichments tab. For more information, see Security Operations enrichment data mapping.