Get Running Services - WMI Enrichment

The Security Incident Response - Get Running Services workflow gathers running services on a configuration item added to a security incident.

The Get Running Services - WMI Enrichment activity is launched automatically to retrieve running services information for a Windows host.

Input variables

Input variables determine the initial behavior of the activity.

Table 1. Input variables
Variable Description
target [string] The fully qualified domain name (FQDN) of the target system.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables
Variable Description
response [string]

A JSON string representing the current running services on the target system.

JSON data includes:

The name of the service
The process identifier of the running service

Also, if available:

The type of running service
The system name for the service
The file path of the running service executable
The start mode of the running service.
The name of the running service as it appears to the user


The MID Server must support PowerShell.

SHA-256 hash requires PowerShell V4.