- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-30-2018 10:00 AM
Referring doc https://docs.servicenow.com/bundle/london-security-management/page/product/security-incident-response-orchestration/task/obtain-WMI-retrieval-workflow.html
It says when I add windows/Unix CI, and put incident in analysis state, system automatically checks running processes from that host/endpoint and list then in the incident.
Wondering how this happens? Without having any host credentials, network configuration or mid server or orchestration workflow. How does this work actually? Is there anything Missing in docs? Or am I missing something?
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-30-2018 10:10 AM
I'm told that you have to provide all of that information to your instance so that a MID server can perform the action. I put ours on hold because we would rather our selected EDR solution perform the task.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-30-2018 10:10 AM
I'm told that you have to provide all of that information to your instance so that a MID server can perform the action. I put ours on hold because we would rather our selected EDR solution perform the task.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-30-2018 10:45 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-30-2018 11:35 AM
Endpoint Detect and Respond. (Carbon Black, Crowdstrike Falcon, etc.)
I'm not sure about you MID server errors. I tried to make this work but killed the idea during requirements gathering due to the complexity of our organization.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-30-2018 12:06 PM
A quick look at the doc reveals that it is using Orchestration. Orchestration uses Credentials:
https://docs.servicenow.com/bundle/london-servicenow-platform/page/administer/orchestration-activity-designer/concept/credentials-conn-alias-orch.html