Get Running Services - WMI Enrichment

  • Release version: Xanadu
  • Updated June 11, 2026
  • 1 minute to read

    • The Security Incident Response - Get Running Services flow gathers running services on a configuration item added to a security incident.

    The Get Running Services - WMI Enrichment flow action is launched automatically to retrieve running services information for a Windows host.

    Input variables

    Input variables determine the initial behavior of the flow action.

    Table 1. Input variables
    Variable Description
    target [string] The fully qualified domain name (FQDN) of the target system.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 2. Output variables
    Variable Description
    response [string]

    A JSON string representing the current running services on the target system.

    JSON data includes:

    name
    The name of the service
    pid
    The process identifier of the running service
    service_type
    (Optional) The type of running service.
    start_name
    The system name for the service
    path
    The file path of the running service executable
    start_mode
    The start mode of the running service.
    display_name
    The name of the running service as it appears to the user

    Restrictions

    The MID Server must support PowerShell.

    SHA-256 hash requires PowerShell V4.