About the connector
Microsoft Windows Management Instrumentation (WMI) provides the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. However, WMI also supplies management data to other parts of the operating system and products, for example, System Center Operations Manager, formerly Microsoft Operations Manager (MOM) or Windows Remote Management (WinRM).
This document provides information about the Microsoft WMI connector, which facilitates remote execution of commands on a Microsoft WMI server using FortiSOAR™ playbooks. Add the Microsoft WMI connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting a list of installed services on the system, getting a list of processes on the system, and running an arbitrary query using WQL (SQL for WMI) on the system.
Version information
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 4.12.0-746
Microsoft WMI Version Tested on: wmi-1.3.14
Authored By: Fortinet.
Certified: Yes
Release Notes for version 1.1.0
Following enhancements have been made to the Microsoft WMI Connector in version 1.1.0:
- Enhanced handling of special characters in the password or username. Earlier, you could not add special characters to usernames or passwords.
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must install Windows Management Instrumentation Command-line (WMIC). Use WMIC to connect remotely to systems using the command line and enabling you to manage windows systems and track their performance. For installing WMIC see: https://techedemic.com/2012/11/05/installing-wmic-in-ubuntu-12-04-lts-64-bit-desktop/.
Note: If you have not run the sudo make then use the make "CPP=gcc -E -ffreestanding" command.
- You must have the necessary permissions to execute a WMIC command.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Microsoft WMI connector row, and in the Configure tab enter the required configuration details.
| Parameter |
Description |
| Username |
Username to access the Microsoft WMI instance. |
| Password |
Password to access the Microsoft WMI instance. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Services |
Retrieves a list of services that are installed on the system. |
get_services
Investigation |
| Get Processes |
Retrieves a list of processes that are installed on the system. |
list_processes
Investigation |
| Get System Information |
Retrieves information, such as Workgroup name and System Startup Options about the system. |
get_system_info
Investigation |
| Get Users |
Retrieves a list of users that are configured on the system. |
get_users
Investigation |
| Run Query |
Runs an arbitrary query in the WQL format on the system. For information on WQL, Click here. |
run_query
Investigation |
operation: Get Services
Input parameters
| Parameter |
Description |
| IP Address |
IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
Output
The JSON output contains a list of services installed on the system.
The output contains the following populated JSON schema:
{
"ServiceDetails": [
{
"StartName": "",
"TagId": "",
"AcceptStop": "",
"AcceptPause": "",
"Started": "",
"Name": "",
"State": "",
"StartMode": "",
"SystemCreationClassName": "",
"DisplayName": "",
"SystemName": "",
"ExitCode": "",
"CheckPoint": "",
"DesktopInteract": "",
"InstallDate": "",
"ServiceSpecificExitCode": "",
"ProcessId": "",
"WaitHint": "",
"Status": "",
"ErrorControl": "",
"CreationClassName": "",
"PathName": "",
"Caption": "",
"ServiceType": "",
"Description": ""
}
]
}
operation: Get Processes
Input parameters
| Parameter |
Description |
| IP Address |
IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
Output
The JSON output contains a list of processes installed on the system.
The output contains the following populated JSON schema:
{
"ProcessDetails": [
{
"CommandLine": "",
"VirtualSize": "",
"OtherTransferCount": "",
"Name": "",
"ExecutionState": "",
"Priority": "",
"UserModeTime": "(null)",
"QuotaNonPagedPoolUsage": "",
"WriteTransferCount": "",
"ExecutablePath": "",
"InstallDate": "",
"CSCreationClassName": "",
"WindowsVersion": "",
"CSName": "",
"PeakPageFileUsage": "",
"Status": "",
"WriteOperationCount": "",
"CreationClassName": "",
"KernelModeTime": "",
"OSName": "",
"PeakVirtualSize": "",
"QuotaPagedPoolUsage": "",
"ReadOperationCount": "",
"MinimumWorkingSetSize": "",
"WorkingSetSize": "",
"OtherOperationCount": "",
"CreationDate": "",
"TerminationDate": "",
"OSCreationClassName": "",
"PrivatePageCount": "",
"QuotaPeakPagedPoolUsage": "",
"ReadTransferCount": "",
"MaximumWorkingSetSize": "",
"SessionId": "",
"ProcessId": "",
"HandleCount": "",
"PageFaults": "",
"Handle": "",
"PeakWorkingSetSize": "",
"ThreadCount": "",
"PageFileUsage": "",
"Caption": "",
"QuotaPeakNonPagedPoolUsage": "",
"ParentProcessId": "",
"Description": ""
}
]
}
operation: Get System Information
Input parameters
| Parameter |
Description |
| IP Address |
IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
Output
The JSON output contains information, such as Workgroup name and System Startup Options about the system.
The output contains the following populated JSON schema:
{
"OSDetails": [
{
"LastBootUpTime": "",
"SuiteMask": "",
"FreeSpaceInPagingFiles": "",
"BootDevice": "",
"Manufacturer": "",
"PlusVersionNumber": "",
"LocalDateTime": "",
"SystemDirectory": "",
"DataExecutionPrevention_Available": "",
"MUILanguages": "",
"DataExecutionPrevention_SupportPolicy": "",
"SystemDevice": "",
"OtherTypeDescription": "",
"ServicePackMajorVersion": "",
"RegisteredUser": "",
"Distributed": "",
"NumberOfLicensedUsers": "",
"OSType": "",
"Primary": "",
"CSCreationClassName": "",
"Organization": "",
"WindowsDirectory": "",
"CurrentTimeZone": "",
"SystemDrive": "",
"Status": "",
"ProductType": "",
"CreationClassName": "",
"PlusProductID": "",
"NumberOfUsers": "",
"InstallDate": "",
"EncryptionLevel": "",
"OSLanguage": "",
"BuildType": "",
"OperatingSystemSKU": "",
"FreePhysicalMemory": "",
"TotalSwapSpaceSize": "",
"BuildNumber": "",
"NumberOfProcesses": "",
"LargeSystemCache": "",
"ServicePackMinorVersion": "",
"MaxProcessMemorySize": "",
"FreeVirtualMemory": "",
"OSProductSuite": "",
"Name": "",
"CSName": "",
"SizeStoredInPagingFiles": "",
"DataExecutionPrevention_32BitApplications": "",
"MaxNumberOfProcesses": "",
"DataExecutionPrevention_Drivers": "",
"TotalVirtualMemorySize": "",
"CodeSet": "",
"Version": "",
"SerialNumber": "",
"TotalVisibleMemorySize": "",
"OSArchitecture": "",
"Debug": "",
"CountryCode": "",
"Locale": "",
"ForegroundApplicationBoost": "",
"CSDVersion": "",
"Caption": "",
"PAEEnabled": "",
"Description": ""
}
],
"SystemDetails": [
{
"AutomaticManagedPagefile": "",
"Manufacturer": "",
"SystemType": "",
"PrimaryOwnerContact": "",
"SystemStartupOptions": "",
"FrontPanelResetStatus": "",
"AdminPasswordStatus": "",
"PrimaryOwnerName": "",
"SystemStartupSetting": "",
"ResetCount": "",
"CreationClassName": "",
"Model": "",
"InstallDate": "",
"WakeUpType": "",
"NameFormat": "",
"PowerOnPasswordStatus": "",
"CurrentTimeZone": "",
"OEMLogoBitmap": "",
"AutomaticResetCapability": "",
"NumberOfLogicalProcessors": "",
"UserName": "",
"Status": "",
"SupportContactDescription": "",
"ResetLimit": "",
"DaylightInEffect": "",
"Domain": "",
"PowerState": "",
"LastLoadInfo": "",
"ResetCapability": "",
"PowerSupplyState": "",
"DNSHostName": "",
"EnableDaylightSavingsTime": "",
"DomainRole": "",
"BootROMSupported": "",
"ThermalState": "",
"PowerManagementCapabilities": "",
"NumberOfProcessors": "",
"InitialLoadInfo": "",
"ChassisBootupState": "",
"Name": "",
"NetworkServerModeEnabled": "",
"TotalPhysicalMemory": "",
"Roles": "",
"PauseAfterReset": "",
"BootupState": "",
"InfraredSupported": "",
"PCSystemType": "",
"BootOptionOnLimit": "",
"PartOfDomain": "",
"SystemStartupDelay": "",
"PowerManagementSupported": "",
"Workgroup": "",
"Caption": "",
"AutomaticResetBootOption": "",
"Description": "",
"BootOptionOnWatchDog": "",
"KeyboardPasswordStatus": "",
"OEMStringArray": ""
}
],
"BootConfigDetails": [
{
"BootDirectory": "",
"ScratchDirectory": "",
"ConfigurationPath": "",
"SettingID": "",
"Caption": "",
"LastDrive": "",
"TempDirectory": "",
"Name": "",
"Description": ""
}
]
}
operation: Get Users
Input parameters
| Parameter |
Description |
| IP Address |
IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
Output
The JSON output contains a list of users configured on the system.
The output contains the following populated JSON schema:
{
"UsersData": [
{
"PasswordExpires": "",
"PasswordRequired": "",
"FullName": "",
"Disabled": "",
"SID": "",
"AccountType": "",
"Domain": "",
"Status": "",
"SIDType": "",
"Lockout": "",
"LocalAccount": "",
"Name": "",
"Caption": "",
"PasswordChangeable": "",
"InstallDate": "",
"Description": ""
}
]
}
operation: Run Query
Input parameters
| Parameter |
Description |
| IP Address |
IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations. |
| Query |
Arbitrary query in the WQL format to be run on the system. |
Output
The JSON output contains the result of the query, which is dependent on the query that you run.
Included playbooks
The Sample - Microsoft-WMI - 1.1.0 playbook collection comes bundled with the Microsoft WMI connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft WMI connector.
- Get Processes
- Get Services
- Get System Information
- Get Users
- Run Query
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
