Get running processes

Khanna Ji · ‎11-30-2018

Referring doc https://docs.servicenow.com/bundle/london-security-management/page/product/security-incident-response-orchestration/task/obtain-WMI-retrieval-workflow.html

It says when I add windows/Unix CI, and put incident in analysis state, system automatically checks running processes from that host/endpoint and list then in the incident.

Wondering how this happens? Without having any host credentials, network configuration or mid server or orchestration workflow. How does this work actually? Is there anything Missing in docs? Or am I missing something?

qcj3 · ‎11-30-2018

I'm told that you have to provide all of that information to your instance so that a MID server can perform the action. I put ours on hold because we would rather our selected EDR solution perform the task.

View solution in original post

qcj3 · ‎11-30-2018

I'm told that you have to provide all of that information to your instance so that a MID server can perform the action. I put ours on hold because we would rather our selected EDR solution perform the task.

Khanna Ji · ‎11-30-2018

So I need to set up mid server for this but why nothing is showing in logs that mid server is missing or not configured? What is ERD solution?

qcj3 · ‎11-30-2018

Endpoint Detect and Respond. (Carbon Black, Crowdstrike Falcon, etc.)

I'm not sure about you MID server errors. I tried to make this work but killed the idea during requirements gathering due to the complexity of our organization.

Chris McDevitt · ‎11-30-2018

A quick look at the doc reveals that it is using Orchestration. Orchestration uses Credentials:

https://docs.servicenow.com/bundle/london-servicenow-platform/page/administer/orchestration-activity-designer/concept/credentials-conn-alias-orch.html