Get Running Services - WMI Enrichment The Security Incident Response - Get Running Services workflow gathers running services on a configuration item added to a security incident. The Get Running Services - WMI Enrichment activity is launched automatically to retrieve running services information for a Windows host. Input variables Input variables determine the initial behavior of the activity. Table 1. Input variables Variable Description target [string] The fully qualified domain name (FQDN) of the target system. Output variables The output variables contain data that can be used in subsequent activities. Table 2. Output variables Variable Description response [string] A JSON string representing the current running services on the target system. JSON data includes: name The name of the service pid The process identifier of the running service Also, if available: service_type The type of running service start_name The system name for the service path The file path of the running service executable start_mode The start mode of the running service. display_name The name of the running service as it appears to the user Restrictions The MID Server must support PowerShell. SHA-256 hash requires PowerShell V4.