Fortinet Document Library

Version:


Table of Contents

1.0.1
Copy Link

About the connector

Microsoft Windows Management Instrumentation (WMI) provides the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. However, WMI also supplies management data to other parts of the operating system and products, for example, System Center Operations Manager, formerly Microsoft Operations Manager (MOM) or Windows Remote Management (WinRM).

This document provides information about the Microsoft WMI connector, which facilitates remote execution of commands on a Microsoft WMI server using FortiSOAR™ playbooks. Add the Microsoft WMI connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting a list of installed services on the system, getting a list of processes on the system, and running an arbitrary query using WQL (SQL for WMI) on the system.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Microsoft WMI Versions: wmi-1.3.14 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the Microsoft WMI Connector in version 1.0.1:

  • Added IP Address as an input parameter for all operations.

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must install Windows Management Instrumentation Command-line (WMIC). Use WMIC to connect remotely to systems using the command line and enabling you to manage windows systems and track their performance. For installing WMIC see: https://techedemic.com/2012/11/05/installing-wmic-in-ubuntu-12-04-lts-64-bit-desktop/.
    Note: If you have not run the sudo make then use the make "CPP=gcc -E -ffreestanding" command.
  • You must have the necessary permissions to execute a WMIC command.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Microsoft WMI connector and click Configure to configure the following parameters:

 

Parameter Description
Username Username to access the Microsoft WMI instance.
Password Password to access the Microsoft WMI instance.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Services Retrieves a list of services that are installed on the system. get_services
Investigation
Get Processes Retrieves a list of processes that are installed on the system. list_processes
Investigation
Get System Information Retrieves information, such as Workgroup name and SystemStartupOptions about the system. get_system_info
Investigation
Get Users Retrieves a list of users that are configured on the system. get_users
Investigation
Run Query Runs an arbitrary query in the WQL format on the system. For information on WQL, Click here. run_query
Investigation

 

operation: Get Services

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

 

Output

The JSON output contains a list of services installed on the system.

Following image displays a sample output:
 

Sample output of the Get Services operation

 

operation: Get Processes

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

 

Output

The JSON output contains a list of processes installed on the system.

Following image displays a sample output:
 

Sample output of the Get Processes operation
 

operation: Get System Information

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

 

Output

The JSON output contains information, such as Workgroup name and SystemStartupOptions about the system.

Following image displays a sample output:
 

Sample output of the Get System Information operation

 

operation: Get Users

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

 

Output

The JSON output contains a list of users configured on the system.

Following image displays a sample output:
 

Sample output of the Get Users operation

 

operation: Run Query

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.
Query Arbitrary query in the WQL format to be run on the system.

 

Output

The JSON output contains the result of the query, which is dependent on the query that you run.

Following image displays a sample output, when you run the Select * From Win32_SerialPort query.
 

Sample output of the Run Query operation

 

Included playbooks

The Sample - Microsoft WMI - 1.0.1 playbook collection comes bundled with the Microsoft WMI connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft WMI connector.

  • Get Processes
  • Get Services
  • Get System Information
  • Get Users
  • Run Query

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Microsoft Windows Management Instrumentation (WMI) provides the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. However, WMI also supplies management data to other parts of the operating system and products, for example, System Center Operations Manager, formerly Microsoft Operations Manager (MOM) or Windows Remote Management (WinRM).

This document provides information about the Microsoft WMI connector, which facilitates remote execution of commands on a Microsoft WMI server using FortiSOAR™ playbooks. Add the Microsoft WMI connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting a list of installed services on the system, getting a list of processes on the system, and running an arbitrary query using WQL (SQL for WMI) on the system.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with Microsoft WMI Versions: wmi-1.3.14 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the Microsoft WMI Connector in version 1.0.1:

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Microsoft WMI connector and click Configure to configure the following parameters:

 

Parameter Description
Username Username to access the Microsoft WMI instance.
Password Password to access the Microsoft WMI instance.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Services Retrieves a list of services that are installed on the system. get_services
Investigation
Get Processes Retrieves a list of processes that are installed on the system. list_processes
Investigation
Get System Information Retrieves information, such as Workgroup name and SystemStartupOptions about the system. get_system_info
Investigation
Get Users Retrieves a list of users that are configured on the system. get_users
Investigation
Run Query Runs an arbitrary query in the WQL format on the system. For information on WQL, Click here. run_query
Investigation

 

operation: Get Services

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

 

Output

The JSON output contains a list of services installed on the system.

Following image displays a sample output:
 

Sample output of the Get Services operation

 

operation: Get Processes

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

 

Output

The JSON output contains a list of processes installed on the system.

Following image displays a sample output:
 

Sample output of the Get Processes operation
 

operation: Get System Information

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

 

Output

The JSON output contains information, such as Workgroup name and SystemStartupOptions about the system.

Following image displays a sample output:
 

Sample output of the Get System Information operation

 

operation: Get Users

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

 

Output

The JSON output contains a list of users configured on the system.

Following image displays a sample output:
 

Sample output of the Get Users operation

 

operation: Run Query

Input parameters

 

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.
Query Arbitrary query in the WQL format to be run on the system.

 

Output

The JSON output contains the result of the query, which is dependent on the query that you run.

Following image displays a sample output, when you run the Select * From Win32_SerialPort query.
 

Sample output of the Run Query operation

 

Included playbooks

The Sample - Microsoft WMI - 1.0.1 playbook collection comes bundled with the Microsoft WMI connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft WMI connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.