Get running processes

Khanna Ji
Tera Guru

Referring doc https://docs.servicenow.com/bundle/london-security-management/page/product/security-incident-response-orchestration/task/obtain-WMI-retrieval-workflow.html

It says when I add windows/Unix CI, and put incident in analysis state, system automatically checks running processes from that host/endpoint and list then in the incident.

Wondering how this happens? Without having any host credentials, network configuration or mid server or orchestration workflow. How does this work actually? Is there anything Missing in docs? Or am I missing something?

1 ACCEPTED SOLUTION

qcj3
Kilo Guru

I'm told that you have to provide all of that information to your instance so that a MID server can perform the action.  I put ours on hold because we would rather our selected EDR solution perform the task.

View solution in original post

5 REPLIES 5

qcj3
Kilo Guru

I'm told that you have to provide all of that information to your instance so that a MID server can perform the action.  I put ours on hold because we would rather our selected EDR solution perform the task.

So I need to set up mid server for this but why nothing is showing in logs that mid server is missing or not configured? What is ERD solution?

Endpoint Detect and Respond.  (Carbon Black, Crowdstrike Falcon, etc.)

I'm not sure about you MID server errors.  I tried to make this work but killed the idea during requirements gathering due to the complexity of our organization. 

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

A quick look at the doc reveals that it is using Orchestration. Orchestration uses Credentials:

https://docs.servicenow.com/bundle/london-servicenow-platform/page/administer/orchestration-activity-designer/concept/credentials-conn-alias-orch.html