Get Running Services - WMI Enrichment

The Security Incident Response - Get Running Services workflow gathers running services on a configuration item added to a security incident.

The Get Running Services - WMI Enrichment activity is launched automatically to retrieve running services information for a Windows host.

Input variables

Input variables determine the initial behavior of the activity.

Table 1. Input variables
Variable Description
target [string] The fully qualified domain name (FQDN) of the target system.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables
Variable Description
response [string]

A JSON string representing the current running services on the target system.

JSON data includes:

name
The name of the service
pid
The process identifier of the running service

Also, if available:

service_type
The type of running service
start_name
The system name for the service
path
The file path of the running service executable
start_mode
The start mode of the running service.
display_name
The name of the running service as it appears to the user

Restrictions

The MID Server must support PowerShell.

SHA-256 hash requires PowerShell V4.