Microsoft Windows Management Instrumentation (WMI) provides the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. However, WMI also supplies management data to other parts of the operating system and products, for example, System Center Operations Manager, formerly Microsoft Operations Manager (MOM) or Windows Remote Management (WinRM).
This document provides information about the Microsoft WMI connector, which facilitates remote execution of commands on a Microsoft WMI server using FortiSOAR™ playbooks. Add the Microsoft WMI connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting a list of installed services on the system, getting a list of processes on the system, and running an arbitrary query using WQL (SQL for WMI) on the system.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 4.12.0-746
Microsoft WMI Version Tested on: wmi-1.3.14
Authored By: Fortinet.
Certified: Yes
Following enhancements have been made to the Microsoft WMI Connector in version 1.1.0:
For the procedure to install a connector, click here.
sudo make
then use the make "CPP=gcc -E -ffreestanding"
command.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Microsoft WMI connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Username | Username to access the Microsoft WMI instance. |
Password | Password to access the Microsoft WMI instance. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Services | Retrieves a list of services that are installed on the system. | get_services Investigation |
Get Processes | Retrieves a list of processes that are installed on the system. | list_processes Investigation |
Get System Information | Retrieves information, such as Workgroup name and System Startup Options about the system. | get_system_info Investigation |
Get Users | Retrieves a list of users that are configured on the system. | get_users Investigation |
Run Query | Runs an arbitrary query in the WQL format on the system. For information on WQL, Click here. | run_query Investigation |
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
The JSON output contains a list of services installed on the system.
The output contains the following populated JSON schema:
{
"ServiceDetails": [
{
"StartName": "",
"TagId": "",
"AcceptStop": "",
"AcceptPause": "",
"Started": "",
"Name": "",
"State": "",
"StartMode": "",
"SystemCreationClassName": "",
"DisplayName": "",
"SystemName": "",
"ExitCode": "",
"CheckPoint": "",
"DesktopInteract": "",
"InstallDate": "",
"ServiceSpecificExitCode": "",
"ProcessId": "",
"WaitHint": "",
"Status": "",
"ErrorControl": "",
"CreationClassName": "",
"PathName": "",
"Caption": "",
"ServiceType": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
The JSON output contains a list of processes installed on the system.
The output contains the following populated JSON schema:
{
"ProcessDetails": [
{
"CommandLine": "",
"VirtualSize": "",
"OtherTransferCount": "",
"Name": "",
"ExecutionState": "",
"Priority": "",
"UserModeTime": "(null)",
"QuotaNonPagedPoolUsage": "",
"WriteTransferCount": "",
"ExecutablePath": "",
"InstallDate": "",
"CSCreationClassName": "",
"WindowsVersion": "",
"CSName": "",
"PeakPageFileUsage": "",
"Status": "",
"WriteOperationCount": "",
"CreationClassName": "",
"KernelModeTime": "",
"OSName": "",
"PeakVirtualSize": "",
"QuotaPagedPoolUsage": "",
"ReadOperationCount": "",
"MinimumWorkingSetSize": "",
"WorkingSetSize": "",
"OtherOperationCount": "",
"CreationDate": "",
"TerminationDate": "",
"OSCreationClassName": "",
"PrivatePageCount": "",
"QuotaPeakPagedPoolUsage": "",
"ReadTransferCount": "",
"MaximumWorkingSetSize": "",
"SessionId": "",
"ProcessId": "",
"HandleCount": "",
"PageFaults": "",
"Handle": "",
"PeakWorkingSetSize": "",
"ThreadCount": "",
"PageFileUsage": "",
"Caption": "",
"QuotaPeakNonPagedPoolUsage": "",
"ParentProcessId": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
The JSON output contains information, such as Workgroup name and System Startup Options about the system.
The output contains the following populated JSON schema:
{
"OSDetails": [
{
"LastBootUpTime": "",
"SuiteMask": "",
"FreeSpaceInPagingFiles": "",
"BootDevice": "",
"Manufacturer": "",
"PlusVersionNumber": "",
"LocalDateTime": "",
"SystemDirectory": "",
"DataExecutionPrevention_Available": "",
"MUILanguages": "",
"DataExecutionPrevention_SupportPolicy": "",
"SystemDevice": "",
"OtherTypeDescription": "",
"ServicePackMajorVersion": "",
"RegisteredUser": "",
"Distributed": "",
"NumberOfLicensedUsers": "",
"OSType": "",
"Primary": "",
"CSCreationClassName": "",
"Organization": "",
"WindowsDirectory": "",
"CurrentTimeZone": "",
"SystemDrive": "",
"Status": "",
"ProductType": "",
"CreationClassName": "",
"PlusProductID": "",
"NumberOfUsers": "",
"InstallDate": "",
"EncryptionLevel": "",
"OSLanguage": "",
"BuildType": "",
"OperatingSystemSKU": "",
"FreePhysicalMemory": "",
"TotalSwapSpaceSize": "",
"BuildNumber": "",
"NumberOfProcesses": "",
"LargeSystemCache": "",
"ServicePackMinorVersion": "",
"MaxProcessMemorySize": "",
"FreeVirtualMemory": "",
"OSProductSuite": "",
"Name": "",
"CSName": "",
"SizeStoredInPagingFiles": "",
"DataExecutionPrevention_32BitApplications": "",
"MaxNumberOfProcesses": "",
"DataExecutionPrevention_Drivers": "",
"TotalVirtualMemorySize": "",
"CodeSet": "",
"Version": "",
"SerialNumber": "",
"TotalVisibleMemorySize": "",
"OSArchitecture": "",
"Debug": "",
"CountryCode": "",
"Locale": "",
"ForegroundApplicationBoost": "",
"CSDVersion": "",
"Caption": "",
"PAEEnabled": "",
"Description": ""
}
],
"SystemDetails": [
{
"AutomaticManagedPagefile": "",
"Manufacturer": "",
"SystemType": "",
"PrimaryOwnerContact": "",
"SystemStartupOptions": "",
"FrontPanelResetStatus": "",
"AdminPasswordStatus": "",
"PrimaryOwnerName": "",
"SystemStartupSetting": "",
"ResetCount": "",
"CreationClassName": "",
"Model": "",
"InstallDate": "",
"WakeUpType": "",
"NameFormat": "",
"PowerOnPasswordStatus": "",
"CurrentTimeZone": "",
"OEMLogoBitmap": "",
"AutomaticResetCapability": "",
"NumberOfLogicalProcessors": "",
"UserName": "",
"Status": "",
"SupportContactDescription": "",
"ResetLimit": "",
"DaylightInEffect": "",
"Domain": "",
"PowerState": "",
"LastLoadInfo": "",
"ResetCapability": "",
"PowerSupplyState": "",
"DNSHostName": "",
"EnableDaylightSavingsTime": "",
"DomainRole": "",
"BootROMSupported": "",
"ThermalState": "",
"PowerManagementCapabilities": "",
"NumberOfProcessors": "",
"InitialLoadInfo": "",
"ChassisBootupState": "",
"Name": "",
"NetworkServerModeEnabled": "",
"TotalPhysicalMemory": "",
"Roles": "",
"PauseAfterReset": "",
"BootupState": "",
"InfraredSupported": "",
"PCSystemType": "",
"BootOptionOnLimit": "",
"PartOfDomain": "",
"SystemStartupDelay": "",
"PowerManagementSupported": "",
"Workgroup": "",
"Caption": "",
"AutomaticResetBootOption": "",
"Description": "",
"BootOptionOnWatchDog": "",
"KeyboardPasswordStatus": "",
"OEMStringArray": ""
}
],
"BootConfigDetails": [
{
"BootDirectory": "",
"ScratchDirectory": "",
"ConfigurationPath": "",
"SettingID": "",
"Caption": "",
"LastDrive": "",
"TempDirectory": "",
"Name": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
The JSON output contains a list of users configured on the system.
The output contains the following populated JSON schema:
{
"UsersData": [
{
"PasswordExpires": "",
"PasswordRequired": "",
"FullName": "",
"Disabled": "",
"SID": "",
"AccountType": "",
"Domain": "",
"Status": "",
"SIDType": "",
"Lockout": "",
"LocalAccount": "",
"Name": "",
"Caption": "",
"PasswordChangeable": "",
"InstallDate": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
Query | Arbitrary query in the WQL format to be run on the system. |
The JSON output contains the result of the query, which is dependent on the query that you run.
The Sample - Microsoft-WMI - 1.1.0
playbook collection comes bundled with the Microsoft WMI connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft WMI connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Microsoft Windows Management Instrumentation (WMI) provides the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. However, WMI also supplies management data to other parts of the operating system and products, for example, System Center Operations Manager, formerly Microsoft Operations Manager (MOM) or Windows Remote Management (WinRM).
This document provides information about the Microsoft WMI connector, which facilitates remote execution of commands on a Microsoft WMI server using FortiSOAR™ playbooks. Add the Microsoft WMI connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting a list of installed services on the system, getting a list of processes on the system, and running an arbitrary query using WQL (SQL for WMI) on the system.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 4.12.0-746
Microsoft WMI Version Tested on: wmi-1.3.14
Authored By: Fortinet.
Certified: Yes
Following enhancements have been made to the Microsoft WMI Connector in version 1.1.0:
For the procedure to install a connector, click here.
sudo make
then use the make "CPP=gcc -E -ffreestanding"
command.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Microsoft WMI connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Username | Username to access the Microsoft WMI instance. |
Password | Password to access the Microsoft WMI instance. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Services | Retrieves a list of services that are installed on the system. | get_services Investigation |
Get Processes | Retrieves a list of processes that are installed on the system. | list_processes Investigation |
Get System Information | Retrieves information, such as Workgroup name and System Startup Options about the system. | get_system_info Investigation |
Get Users | Retrieves a list of users that are configured on the system. | get_users Investigation |
Run Query | Runs an arbitrary query in the WQL format on the system. For information on WQL, Click here. | run_query Investigation |
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
The JSON output contains a list of services installed on the system.
The output contains the following populated JSON schema:
{
"ServiceDetails": [
{
"StartName": "",
"TagId": "",
"AcceptStop": "",
"AcceptPause": "",
"Started": "",
"Name": "",
"State": "",
"StartMode": "",
"SystemCreationClassName": "",
"DisplayName": "",
"SystemName": "",
"ExitCode": "",
"CheckPoint": "",
"DesktopInteract": "",
"InstallDate": "",
"ServiceSpecificExitCode": "",
"ProcessId": "",
"WaitHint": "",
"Status": "",
"ErrorControl": "",
"CreationClassName": "",
"PathName": "",
"Caption": "",
"ServiceType": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
The JSON output contains a list of processes installed on the system.
The output contains the following populated JSON schema:
{
"ProcessDetails": [
{
"CommandLine": "",
"VirtualSize": "",
"OtherTransferCount": "",
"Name": "",
"ExecutionState": "",
"Priority": "",
"UserModeTime": "(null)",
"QuotaNonPagedPoolUsage": "",
"WriteTransferCount": "",
"ExecutablePath": "",
"InstallDate": "",
"CSCreationClassName": "",
"WindowsVersion": "",
"CSName": "",
"PeakPageFileUsage": "",
"Status": "",
"WriteOperationCount": "",
"CreationClassName": "",
"KernelModeTime": "",
"OSName": "",
"PeakVirtualSize": "",
"QuotaPagedPoolUsage": "",
"ReadOperationCount": "",
"MinimumWorkingSetSize": "",
"WorkingSetSize": "",
"OtherOperationCount": "",
"CreationDate": "",
"TerminationDate": "",
"OSCreationClassName": "",
"PrivatePageCount": "",
"QuotaPeakPagedPoolUsage": "",
"ReadTransferCount": "",
"MaximumWorkingSetSize": "",
"SessionId": "",
"ProcessId": "",
"HandleCount": "",
"PageFaults": "",
"Handle": "",
"PeakWorkingSetSize": "",
"ThreadCount": "",
"PageFileUsage": "",
"Caption": "",
"QuotaPeakNonPagedPoolUsage": "",
"ParentProcessId": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
The JSON output contains information, such as Workgroup name and System Startup Options about the system.
The output contains the following populated JSON schema:
{
"OSDetails": [
{
"LastBootUpTime": "",
"SuiteMask": "",
"FreeSpaceInPagingFiles": "",
"BootDevice": "",
"Manufacturer": "",
"PlusVersionNumber": "",
"LocalDateTime": "",
"SystemDirectory": "",
"DataExecutionPrevention_Available": "",
"MUILanguages": "",
"DataExecutionPrevention_SupportPolicy": "",
"SystemDevice": "",
"OtherTypeDescription": "",
"ServicePackMajorVersion": "",
"RegisteredUser": "",
"Distributed": "",
"NumberOfLicensedUsers": "",
"OSType": "",
"Primary": "",
"CSCreationClassName": "",
"Organization": "",
"WindowsDirectory": "",
"CurrentTimeZone": "",
"SystemDrive": "",
"Status": "",
"ProductType": "",
"CreationClassName": "",
"PlusProductID": "",
"NumberOfUsers": "",
"InstallDate": "",
"EncryptionLevel": "",
"OSLanguage": "",
"BuildType": "",
"OperatingSystemSKU": "",
"FreePhysicalMemory": "",
"TotalSwapSpaceSize": "",
"BuildNumber": "",
"NumberOfProcesses": "",
"LargeSystemCache": "",
"ServicePackMinorVersion": "",
"MaxProcessMemorySize": "",
"FreeVirtualMemory": "",
"OSProductSuite": "",
"Name": "",
"CSName": "",
"SizeStoredInPagingFiles": "",
"DataExecutionPrevention_32BitApplications": "",
"MaxNumberOfProcesses": "",
"DataExecutionPrevention_Drivers": "",
"TotalVirtualMemorySize": "",
"CodeSet": "",
"Version": "",
"SerialNumber": "",
"TotalVisibleMemorySize": "",
"OSArchitecture": "",
"Debug": "",
"CountryCode": "",
"Locale": "",
"ForegroundApplicationBoost": "",
"CSDVersion": "",
"Caption": "",
"PAEEnabled": "",
"Description": ""
}
],
"SystemDetails": [
{
"AutomaticManagedPagefile": "",
"Manufacturer": "",
"SystemType": "",
"PrimaryOwnerContact": "",
"SystemStartupOptions": "",
"FrontPanelResetStatus": "",
"AdminPasswordStatus": "",
"PrimaryOwnerName": "",
"SystemStartupSetting": "",
"ResetCount": "",
"CreationClassName": "",
"Model": "",
"InstallDate": "",
"WakeUpType": "",
"NameFormat": "",
"PowerOnPasswordStatus": "",
"CurrentTimeZone": "",
"OEMLogoBitmap": "",
"AutomaticResetCapability": "",
"NumberOfLogicalProcessors": "",
"UserName": "",
"Status": "",
"SupportContactDescription": "",
"ResetLimit": "",
"DaylightInEffect": "",
"Domain": "",
"PowerState": "",
"LastLoadInfo": "",
"ResetCapability": "",
"PowerSupplyState": "",
"DNSHostName": "",
"EnableDaylightSavingsTime": "",
"DomainRole": "",
"BootROMSupported": "",
"ThermalState": "",
"PowerManagementCapabilities": "",
"NumberOfProcessors": "",
"InitialLoadInfo": "",
"ChassisBootupState": "",
"Name": "",
"NetworkServerModeEnabled": "",
"TotalPhysicalMemory": "",
"Roles": "",
"PauseAfterReset": "",
"BootupState": "",
"InfraredSupported": "",
"PCSystemType": "",
"BootOptionOnLimit": "",
"PartOfDomain": "",
"SystemStartupDelay": "",
"PowerManagementSupported": "",
"Workgroup": "",
"Caption": "",
"AutomaticResetBootOption": "",
"Description": "",
"BootOptionOnWatchDog": "",
"KeyboardPasswordStatus": "",
"OEMStringArray": ""
}
],
"BootConfigDetails": [
{
"BootDirectory": "",
"ScratchDirectory": "",
"ConfigurationPath": "",
"SettingID": "",
"Caption": "",
"LastDrive": "",
"TempDirectory": "",
"Name": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
The JSON output contains a list of users configured on the system.
The output contains the following populated JSON schema:
{
"UsersData": [
{
"PasswordExpires": "",
"PasswordRequired": "",
"FullName": "",
"Disabled": "",
"SID": "",
"AccountType": "",
"Domain": "",
"Status": "",
"SIDType": "",
"Lockout": "",
"LocalAccount": "",
"Name": "",
"Caption": "",
"PasswordChangeable": "",
"InstallDate": "",
"Description": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
Query | Arbitrary query in the WQL format to be run on the system. |
The JSON output contains the result of the query, which is dependent on the query that you run.
The Sample - Microsoft-WMI - 1.1.0
playbook collection comes bundled with the Microsoft WMI connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft WMI connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.