Security Incident Response - Get Running Services workflow

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • The Security Incident Response - Get Running Services workflow retrieves a list of running services from Windows-based, ServiceNow, configuration items (CIs). This workflow is used for incident enrichment during investigations.

    Before you begin

    Role required: sn_si.analyst

    About this task

    The Security Incident Response - Get Running Services workflow runs automatically when you add a new configuration item to a Windows security incident after the state changes to Analysis. The information this workflow obtains appears on the Show Enrichment Data tabs for the security incident.

    Note:
    If the security incident remains in the Draft state, the Security Incident Response - Get Running Services workflow workflow does not run.
    Workflow activities include:

    Procedure

    1. Open a security incident.
    2. Update the State to Analysis, if necessary.
    3. Add a Windows-based configuration item (server, laptop, or similar).
    4. Select Update.
      Security Incident Response provides running services information in the Related Links > Security Incident Enrichmentstab. For more information, see Security Operations enrichment data mapping.