Get running processes

Khanna Ji · ‎11-30-2018

Referring doc https://docs.servicenow.com/bundle/london-security-management/page/product/security-incident-response-orchestration/task/obtain-WMI-retrieval-workflow.html

It says when I add windows/Unix CI, and put incident in analysis state, system automatically checks running processes from that host/endpoint and list then in the incident.

Wondering how this happens? Without having any host credentials, network configuration or mid server or orchestration workflow. How does this work actually? Is there anything Missing in docs? Or am I missing something?

qcj3 · ‎11-30-2018

I'm told that you have to provide all of that information to your instance so that a MID server can perform the action. I put ours on hold because we would rather our selected EDR solution perform the task.

View solution in original post

andy_ojha · ‎11-30-2018

Hey Swathi - as others have mentioned here, the 'Get Running Processes' does require the use of a MID Server and Orchestration.

I do see "Orchestration" is not called out clearly on that particular docs page (that page is referenced up to the parent section called Security Incident Response Orchestration).

There's a few ways to perform 'Get Running Processes' - either with 3rd party tools like Carbon Black and Tanium, or using native Windows tools like PowerShell and WMI.

For the case of using PowerShell and WMI to perform this, a MID Server with PowerShell is needed.

As you mentioned, credentials will be needed to remotely authenticate and execute the WMI commands.

You can look at configuring Windows creds in the ServiceNow "Credentials Table" here:

https://docs.servicenow.com/bundle/london-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html

Or optionally, you can look at configuring the "Log On As" user for the actual MID Server 'Windows Service' account here:

https://docs.servicenow.com/bundle/london-servicenow-platform/page/product/mid-server/task/t_ConfigMIDSvrSvcCredentials.html