Fortinet Document Library

Version:


Table of Contents

1.1.0
Copy Link

About the connector

Microsoft Windows Management Instrumentation (WMI) provides the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. However, WMI also supplies management data to other parts of the operating system and products, for example, System Center Operations Manager, formerly Microsoft Operations Manager (MOM) or Windows Remote Management (WinRM).

This document provides information about the Microsoft WMI connector, which facilitates remote execution of commands on a Microsoft WMI server using FortiSOAR™ playbooks. Add the Microsoft WMI connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting a list of installed services on the system, getting a list of processes on the system, and running an arbitrary query using WQL (SQL for WMI) on the system.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 4.12.0-746

Microsoft WMI Version Tested on: wmi-1.3.14

Authored By: Fortinet.

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the Microsoft WMI Connector in version 1.1.0:

  • Enhanced handling of special characters in the password or username. Earlier, you could not add special characters to usernames or passwords.

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must install Windows Management Instrumentation Command-line (WMIC). Use WMIC to connect remotely to systems using the command line and enabling you to manage windows systems and track their performance. For installing WMIC see: https://techedemic.com/2012/11/05/installing-wmic-in-ubuntu-12-04-lts-64-bit-desktop/.
    Note: If you have not run the sudo make then use the make "CPP=gcc -E -ffreestanding" command.
  • You must have the necessary permissions to execute a WMIC command.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Microsoft WMI connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Username Username to access the Microsoft WMI instance.
Password Password to access the Microsoft WMI instance.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Services Retrieves a list of services that are installed on the system. get_services
Investigation
Get Processes Retrieves a list of processes that are installed on the system. list_processes
Investigation
Get System Information Retrieves information, such as Workgroup name and System Startup Options about the system. get_system_info
Investigation
Get Users Retrieves a list of users that are configured on the system. get_users
Investigation
Run Query Runs an arbitrary query in the WQL format on the system. For information on WQL, Click here. run_query
Investigation

operation: Get Services

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

Output

The JSON output contains a list of services installed on the system.

The output contains the following populated JSON schema:
{
     "ServiceDetails": [
         {
             "StartName": "",
             "TagId": "",
             "AcceptStop": "",
             "AcceptPause": "",
             "Started": "",
             "Name": "",
             "State": "",
             "StartMode": "",
             "SystemCreationClassName": "",
             "DisplayName": "",
             "SystemName": "",
             "ExitCode": "",
             "CheckPoint": "",
             "DesktopInteract": "",
             "InstallDate": "",
             "ServiceSpecificExitCode": "",
             "ProcessId": "",
             "WaitHint": "",
             "Status": "",
             "ErrorControl": "",
             "CreationClassName": "",
             "PathName": "",
             "Caption": "",
             "ServiceType": "",
             "Description": ""
         }
     ]
}

operation: Get Processes

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

Output

The JSON output contains a list of processes installed on the system.

The output contains the following populated JSON schema:
{
     "ProcessDetails": [
         {
             "CommandLine": "",
             "VirtualSize": "",
             "OtherTransferCount": "",
             "Name": "",
             "ExecutionState": "",
             "Priority": "",
             "UserModeTime": "(null)",
             "QuotaNonPagedPoolUsage": "",
             "WriteTransferCount": "",
             "ExecutablePath": "",
             "InstallDate": "",
             "CSCreationClassName": "",
             "WindowsVersion": "",
             "CSName": "",
             "PeakPageFileUsage": "",
             "Status": "",
             "WriteOperationCount": "",
             "CreationClassName": "",
             "KernelModeTime": "",
             "OSName": "",
             "PeakVirtualSize": "",
             "QuotaPagedPoolUsage": "",
             "ReadOperationCount": "",
             "MinimumWorkingSetSize": "",
             "WorkingSetSize": "",
             "OtherOperationCount": "",
             "CreationDate": "",
             "TerminationDate": "",
             "OSCreationClassName": "",
             "PrivatePageCount": "",
             "QuotaPeakPagedPoolUsage": "",
             "ReadTransferCount": "",
             "MaximumWorkingSetSize": "",
             "SessionId": "",
             "ProcessId": "",
             "HandleCount": "",
             "PageFaults": "",
             "Handle": "",
             "PeakWorkingSetSize": "",
             "ThreadCount": "",
             "PageFileUsage": "",
             "Caption": "",
             "QuotaPeakNonPagedPoolUsage": "",
             "ParentProcessId": "",
             "Description": ""
         }
     ]
}

operation: Get System Information

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

Output

The JSON output contains information, such as Workgroup name and System Startup Options about the system.

The output contains the following populated JSON schema:
{
     "OSDetails": [
         {
             "LastBootUpTime": "",
             "SuiteMask": "",
             "FreeSpaceInPagingFiles": "",
             "BootDevice": "",
             "Manufacturer": "",
             "PlusVersionNumber": "",
             "LocalDateTime": "",
             "SystemDirectory": "",
             "DataExecutionPrevention_Available": "",
             "MUILanguages": "",
             "DataExecutionPrevention_SupportPolicy": "",
             "SystemDevice": "",
             "OtherTypeDescription": "",
             "ServicePackMajorVersion": "",
             "RegisteredUser": "",
             "Distributed": "",
             "NumberOfLicensedUsers": "",
             "OSType": "",
             "Primary": "",
             "CSCreationClassName": "",
             "Organization": "",
             "WindowsDirectory": "",
             "CurrentTimeZone": "",
             "SystemDrive": "",
             "Status": "",
             "ProductType": "",
             "CreationClassName": "",
             "PlusProductID": "",
             "NumberOfUsers": "",
             "InstallDate": "",
             "EncryptionLevel": "",
             "OSLanguage": "",
             "BuildType": "",
             "OperatingSystemSKU": "",
             "FreePhysicalMemory": "",
             "TotalSwapSpaceSize": "",
             "BuildNumber": "",
             "NumberOfProcesses": "",
             "LargeSystemCache": "",
             "ServicePackMinorVersion": "",
             "MaxProcessMemorySize": "",
             "FreeVirtualMemory": "",
             "OSProductSuite": "",
             "Name": "",
             "CSName": "",
             "SizeStoredInPagingFiles": "",
             "DataExecutionPrevention_32BitApplications": "",
             "MaxNumberOfProcesses": "",
             "DataExecutionPrevention_Drivers": "",
             "TotalVirtualMemorySize": "",
             "CodeSet": "",
             "Version": "",
             "SerialNumber": "",
             "TotalVisibleMemorySize": "",
             "OSArchitecture": "",
             "Debug": "",
             "CountryCode": "",
             "Locale": "",
             "ForegroundApplicationBoost": "",
             "CSDVersion": "",
             "Caption": "",
             "PAEEnabled": "",
             "Description": ""
         }
     ],
     "SystemDetails": [
         {
             "AutomaticManagedPagefile": "",
             "Manufacturer": "",
             "SystemType": "",
             "PrimaryOwnerContact": "",
             "SystemStartupOptions": "",
             "FrontPanelResetStatus": "",
             "AdminPasswordStatus": "",
             "PrimaryOwnerName": "",
             "SystemStartupSetting": "",
             "ResetCount": "",
             "CreationClassName": "",
             "Model": "",
             "InstallDate": "",
             "WakeUpType": "",
             "NameFormat": "",
             "PowerOnPasswordStatus": "",
             "CurrentTimeZone": "",
             "OEMLogoBitmap": "",
             "AutomaticResetCapability": "",
             "NumberOfLogicalProcessors": "",
             "UserName": "",
             "Status": "",
             "SupportContactDescription": "",
             "ResetLimit": "",
             "DaylightInEffect": "",
             "Domain": "",
             "PowerState": "",
             "LastLoadInfo": "",
             "ResetCapability": "",
             "PowerSupplyState": "",
             "DNSHostName": "",
             "EnableDaylightSavingsTime": "",
             "DomainRole": "",
             "BootROMSupported": "",
             "ThermalState": "",
             "PowerManagementCapabilities": "",
             "NumberOfProcessors": "",
             "InitialLoadInfo": "",
             "ChassisBootupState": "",
             "Name": "",
             "NetworkServerModeEnabled": "",
             "TotalPhysicalMemory": "",
             "Roles": "",
             "PauseAfterReset": "",
             "BootupState": "",
             "InfraredSupported": "",
             "PCSystemType": "",
             "BootOptionOnLimit": "",
             "PartOfDomain": "",
             "SystemStartupDelay": "",
             "PowerManagementSupported": "",
             "Workgroup": "",
             "Caption": "",
             "AutomaticResetBootOption": "",
             "Description": "",
             "BootOptionOnWatchDog": "",
             "KeyboardPasswordStatus": "",
             "OEMStringArray": ""
         }
     ],
     "BootConfigDetails": [
         {
             "BootDirectory": "",
             "ScratchDirectory": "",
             "ConfigurationPath": "",
             "SettingID": "",
             "Caption": "",
             "LastDrive": "",
             "TempDirectory": "",
             "Name": "",
             "Description": ""
         }
     ]
}

operation: Get Users

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

Output

The JSON output contains a list of users configured on the system.

The output contains the following populated JSON schema:
{
     "UsersData": [
         {
             "PasswordExpires": "",
             "PasswordRequired": "",
             "FullName": "",
             "Disabled": "",
             "SID": "",
             "AccountType": "",
             "Domain": "",
             "Status": "",
             "SIDType": "",
             "Lockout": "",
             "LocalAccount": "",
             "Name": "",
             "Caption": "",
             "PasswordChangeable": "",
             "InstallDate": "",
             "Description": ""
         }
     ]
}

operation: Run Query

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.
Query Arbitrary query in the WQL format to be run on the system.

Output

The JSON output contains the result of the query, which is dependent on the query that you run.

Included playbooks

The Sample - Microsoft-WMI - 1.1.0 playbook collection comes bundled with the Microsoft WMI connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft WMI connector.

  • Get Processes
  • Get Services
  • Get System Information
  • Get Users
  • Run Query

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Microsoft Windows Management Instrumentation (WMI) provides the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. However, WMI also supplies management data to other parts of the operating system and products, for example, System Center Operations Manager, formerly Microsoft Operations Manager (MOM) or Windows Remote Management (WinRM).

This document provides information about the Microsoft WMI connector, which facilitates remote execution of commands on a Microsoft WMI server using FortiSOAR™ playbooks. Add the Microsoft WMI connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting a list of installed services on the system, getting a list of processes on the system, and running an arbitrary query using WQL (SQL for WMI) on the system.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 4.12.0-746

Microsoft WMI Version Tested on: wmi-1.3.14

Authored By: Fortinet.

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the Microsoft WMI Connector in version 1.1.0:

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Microsoft WMI connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Username Username to access the Microsoft WMI instance.
Password Password to access the Microsoft WMI instance.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Services Retrieves a list of services that are installed on the system. get_services
Investigation
Get Processes Retrieves a list of processes that are installed on the system. list_processes
Investigation
Get System Information Retrieves information, such as Workgroup name and System Startup Options about the system. get_system_info
Investigation
Get Users Retrieves a list of users that are configured on the system. get_users
Investigation
Run Query Runs an arbitrary query in the WQL format on the system. For information on WQL, Click here. run_query
Investigation

operation: Get Services

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

Output

The JSON output contains a list of services installed on the system.

The output contains the following populated JSON schema:
{
     "ServiceDetails": [
         {
             "StartName": "",
             "TagId": "",
             "AcceptStop": "",
             "AcceptPause": "",
             "Started": "",
             "Name": "",
             "State": "",
             "StartMode": "",
             "SystemCreationClassName": "",
             "DisplayName": "",
             "SystemName": "",
             "ExitCode": "",
             "CheckPoint": "",
             "DesktopInteract": "",
             "InstallDate": "",
             "ServiceSpecificExitCode": "",
             "ProcessId": "",
             "WaitHint": "",
             "Status": "",
             "ErrorControl": "",
             "CreationClassName": "",
             "PathName": "",
             "Caption": "",
             "ServiceType": "",
             "Description": ""
         }
     ]
}

operation: Get Processes

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

Output

The JSON output contains a list of processes installed on the system.

The output contains the following populated JSON schema:
{
     "ProcessDetails": [
         {
             "CommandLine": "",
             "VirtualSize": "",
             "OtherTransferCount": "",
             "Name": "",
             "ExecutionState": "",
             "Priority": "",
             "UserModeTime": "(null)",
             "QuotaNonPagedPoolUsage": "",
             "WriteTransferCount": "",
             "ExecutablePath": "",
             "InstallDate": "",
             "CSCreationClassName": "",
             "WindowsVersion": "",
             "CSName": "",
             "PeakPageFileUsage": "",
             "Status": "",
             "WriteOperationCount": "",
             "CreationClassName": "",
             "KernelModeTime": "",
             "OSName": "",
             "PeakVirtualSize": "",
             "QuotaPagedPoolUsage": "",
             "ReadOperationCount": "",
             "MinimumWorkingSetSize": "",
             "WorkingSetSize": "",
             "OtherOperationCount": "",
             "CreationDate": "",
             "TerminationDate": "",
             "OSCreationClassName": "",
             "PrivatePageCount": "",
             "QuotaPeakPagedPoolUsage": "",
             "ReadTransferCount": "",
             "MaximumWorkingSetSize": "",
             "SessionId": "",
             "ProcessId": "",
             "HandleCount": "",
             "PageFaults": "",
             "Handle": "",
             "PeakWorkingSetSize": "",
             "ThreadCount": "",
             "PageFileUsage": "",
             "Caption": "",
             "QuotaPeakNonPagedPoolUsage": "",
             "ParentProcessId": "",
             "Description": ""
         }
     ]
}

operation: Get System Information

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

Output

The JSON output contains information, such as Workgroup name and System Startup Options about the system.

The output contains the following populated JSON schema:
{
     "OSDetails": [
         {
             "LastBootUpTime": "",
             "SuiteMask": "",
             "FreeSpaceInPagingFiles": "",
             "BootDevice": "",
             "Manufacturer": "",
             "PlusVersionNumber": "",
             "LocalDateTime": "",
             "SystemDirectory": "",
             "DataExecutionPrevention_Available": "",
             "MUILanguages": "",
             "DataExecutionPrevention_SupportPolicy": "",
             "SystemDevice": "",
             "OtherTypeDescription": "",
             "ServicePackMajorVersion": "",
             "RegisteredUser": "",
             "Distributed": "",
             "NumberOfLicensedUsers": "",
             "OSType": "",
             "Primary": "",
             "CSCreationClassName": "",
             "Organization": "",
             "WindowsDirectory": "",
             "CurrentTimeZone": "",
             "SystemDrive": "",
             "Status": "",
             "ProductType": "",
             "CreationClassName": "",
             "PlusProductID": "",
             "NumberOfUsers": "",
             "InstallDate": "",
             "EncryptionLevel": "",
             "OSLanguage": "",
             "BuildType": "",
             "OperatingSystemSKU": "",
             "FreePhysicalMemory": "",
             "TotalSwapSpaceSize": "",
             "BuildNumber": "",
             "NumberOfProcesses": "",
             "LargeSystemCache": "",
             "ServicePackMinorVersion": "",
             "MaxProcessMemorySize": "",
             "FreeVirtualMemory": "",
             "OSProductSuite": "",
             "Name": "",
             "CSName": "",
             "SizeStoredInPagingFiles": "",
             "DataExecutionPrevention_32BitApplications": "",
             "MaxNumberOfProcesses": "",
             "DataExecutionPrevention_Drivers": "",
             "TotalVirtualMemorySize": "",
             "CodeSet": "",
             "Version": "",
             "SerialNumber": "",
             "TotalVisibleMemorySize": "",
             "OSArchitecture": "",
             "Debug": "",
             "CountryCode": "",
             "Locale": "",
             "ForegroundApplicationBoost": "",
             "CSDVersion": "",
             "Caption": "",
             "PAEEnabled": "",
             "Description": ""
         }
     ],
     "SystemDetails": [
         {
             "AutomaticManagedPagefile": "",
             "Manufacturer": "",
             "SystemType": "",
             "PrimaryOwnerContact": "",
             "SystemStartupOptions": "",
             "FrontPanelResetStatus": "",
             "AdminPasswordStatus": "",
             "PrimaryOwnerName": "",
             "SystemStartupSetting": "",
             "ResetCount": "",
             "CreationClassName": "",
             "Model": "",
             "InstallDate": "",
             "WakeUpType": "",
             "NameFormat": "",
             "PowerOnPasswordStatus": "",
             "CurrentTimeZone": "",
             "OEMLogoBitmap": "",
             "AutomaticResetCapability": "",
             "NumberOfLogicalProcessors": "",
             "UserName": "",
             "Status": "",
             "SupportContactDescription": "",
             "ResetLimit": "",
             "DaylightInEffect": "",
             "Domain": "",
             "PowerState": "",
             "LastLoadInfo": "",
             "ResetCapability": "",
             "PowerSupplyState": "",
             "DNSHostName": "",
             "EnableDaylightSavingsTime": "",
             "DomainRole": "",
             "BootROMSupported": "",
             "ThermalState": "",
             "PowerManagementCapabilities": "",
             "NumberOfProcessors": "",
             "InitialLoadInfo": "",
             "ChassisBootupState": "",
             "Name": "",
             "NetworkServerModeEnabled": "",
             "TotalPhysicalMemory": "",
             "Roles": "",
             "PauseAfterReset": "",
             "BootupState": "",
             "InfraredSupported": "",
             "PCSystemType": "",
             "BootOptionOnLimit": "",
             "PartOfDomain": "",
             "SystemStartupDelay": "",
             "PowerManagementSupported": "",
             "Workgroup": "",
             "Caption": "",
             "AutomaticResetBootOption": "",
             "Description": "",
             "BootOptionOnWatchDog": "",
             "KeyboardPasswordStatus": "",
             "OEMStringArray": ""
         }
     ],
     "BootConfigDetails": [
         {
             "BootDirectory": "",
             "ScratchDirectory": "",
             "ConfigurationPath": "",
             "SettingID": "",
             "Caption": "",
             "LastDrive": "",
             "TempDirectory": "",
             "Name": "",
             "Description": ""
         }
     ]
}

operation: Get Users

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.

Output

The JSON output contains a list of users configured on the system.

The output contains the following populated JSON schema:
{
     "UsersData": [
         {
             "PasswordExpires": "",
             "PasswordRequired": "",
             "FullName": "",
             "Disabled": "",
             "SID": "",
             "AccountType": "",
             "Domain": "",
             "Status": "",
             "SIDType": "",
             "Lockout": "",
             "LocalAccount": "",
             "Name": "",
             "Caption": "",
             "PasswordChangeable": "",
             "InstallDate": "",
             "Description": ""
         }
     ]
}

operation: Run Query

Input parameters

Parameter Description
IP Address IP address or FQDN of the Microsoft WMI server to which you will connect and perform automated operations.
Query Arbitrary query in the WQL format to be run on the system.

Output

The JSON output contains the result of the query, which is dependent on the query that you run.

Included playbooks

The Sample - Microsoft-WMI - 1.1.0 playbook collection comes bundled with the Microsoft WMI connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft WMI connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.