Security Incident Response - Get Running Services workflow

Rversion finale: Australia

Mis à jour 12 mars 2026

1 minute de lecture

The Security Incident Response - Get Running Services workflow retrieves a list of running services from Windows-based, ServiceNow, configuration items (CIs). This workflow is used for incident enrichment during investigations.

Avant de commencer

Role required: sn_si.analyst

Pourquoi et quand exécuter cette tâche

The Security Incident Response - Get Running Services workflow runs automatically when you add a new configuration item to a Windows security incident after the state changes to Analysis. The information this workflow obtains appears on the Show Enrichment Data tabs for the security incident.

Remarque :

If the security incident remains in the Draft state, the Security Incident Response - Get Running Services workflow workflow does not run.

Workflow activities include:

Audit Log Enrichment Script activity
Get Configuration Item FQDN Flow Action
Determine Shell Script by OS activity
Is Execution via PowerShell activity
Get Running Services - WMI Enrichment activity
Create Enrichment Data records Flow Action

Security Incident Response - Get Running Services workflow diagram — Figure 1. Get Running Services

Procédure

Open a security incident.
Update the State to Analysis, if necessary.
Add a Windows-based configuration item (server, laptop, or similar).
Click Update.
Security Incident Response provides running services information in the Related Links > Security Incident Enrichmentstab. For more information, see Security Operations enrichment data mapping.