WMI

Publisher: Splunk
Connector Version: 2.1.7
Product Vendor: Microsoft
Product Name: Windows Server
Product Version Supported (regex): ".*"
Minimum Product Version: 5.1.0

This App uses the WMI WQL to implement investigative actions that are executed on a Windows endpoint

Windows Management Instrumentation (WMI) ports need to be opened up on the endpoint for the app to run WMI commands remotely. Depending upon your setup, this configuration can be part of a Group Policy Object (GPO) or carried out individually on the endpoint.

This app does not support proxies, and it will ignore any proxy settings.

wmi-client-wrapper

wmi-client-wrapper-py3

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Windows Server asset in SOAR.

VARIABLE	REQUIRED	TYPE	DESCRIPTION
server	required	string	Server IP/Hostname
username	required	string	Administrator username
password	required	password	Administrator password
force_ntlmv2	optional	boolean	Add option to force NTLMv2 (Used only for WMI)

Supported Actions

test connectivity - Validate the asset configuration for connectivity
list services - Get the list of installed services on the system
get system info - Get information about a system
list users - List users configured on a system
run query - Run an arbitrary query using WQL on the system

action: 'test connectivity'

Validate the asset configuration for connectivity

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'list services'

Get the list of installed services on the system

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ip_hostname	required	Hostname/IP to list services running on	string	`ip` `host name`
namespace	optional	Namespace	string

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.ip_hostname	string	`ip` `host name`
action_result.parameter.namespace	string
action_result.data.*.AcceptPause	boolean
action_result.data.*.AcceptStop	boolean
action_result.data.*.Caption	string
action_result.data.*.CheckPoint	string
action_result.data.*.CreationClassName	string
action_result.data.*.Description	string
action_result.data.*.DesktopInteract	boolean
action_result.data.*.DisconnectedSessions	string
action_result.data.*.DisplayName	string
action_result.data.*.ErrorControl	string
action_result.data.*.ExitCode	string
action_result.data.*.InstallDate	string
action_result.data.*.Name	string
action_result.data.*.PathName	string	`file path` `file name`
action_result.data.*.ProcessId	string	`pid`
action_result.data.*.ServiceSpecificExitCode	string
action_result.data.*.ServiceType	string
action_result.data.*.StartMode	string
action_result.data.*.StartName	string
action_result.data.*.Started	boolean
action_result.data.*.State	string
action_result.data.*.Status	string
action_result.data.*.SystemCreationClassName	string
action_result.data.*.SystemName	string
action_result.data.*.TagId	string
action_result.data.*.TotalSessions	string
action_result.data.*.WaitHint	string
action_result.summary.running_services	numeric
action_result.summary.total_services	numeric
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'get system info'

Get information about a system

Type: investigate
Read only: True

For information on Namespaces of Windows Management Instrumentation, refer to the 'Namespace Parameter' section in the documentation.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ip_hostname	required	Hostname/IP address to get info of	string	`ip` `host name`
namespace	optional	Namespace	string

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.ip_hostname	string	`ip` `host name`
action_result.parameter.namespace	string
action_result.data.*.boot_config_details.BootDirectory	string	`file path`
action_result.data.*.boot_config_details.Caption	string
action_result.data.*.boot_config_details.ConfigurationPath	string	`file path`
action_result.data.*.boot_config_details.Description	string
action_result.data.*.boot_config_details.LastDrive	string
action_result.data.*.boot_config_details.Name	string
action_result.data.*.boot_config_details.ScratchDirectory	string	`file path`
action_result.data.*.boot_config_details.SettingID	string
action_result.data.*.boot_config_details.TempDirectory	string	`file path`
action_result.data.*.os_details.BootDevice	string
action_result.data.*.os_details.BuildNumber	string
action_result.data.*.os_details.BuildType	string
action_result.data.*.os_details.CSCreationClassName	string
action_result.data.*.os_details.CSDVersion	string
action_result.data.*.os_details.CSName	string
action_result.data.*.os_details.Caption	string
action_result.data.*.os_details.CodeSet	string
action_result.data.*.os_details.CountryCode	string
action_result.data.*.os_details.CreationClassName	string
action_result.data.*.os_details.CurrentTimeZone	string
action_result.data.*.os_details.DataExecutionPrevention_32BitApplications	boolean
action_result.data.*.os_details.DataExecutionPrevention_Available	boolean
action_result.data.*.os_details.DataExecutionPrevention_Drivers	boolean
action_result.data.*.os_details.DataExecutionPrevention_SupportPolicy	string
action_result.data.*.os_details.Debug	boolean
action_result.data.*.os_details.Description	string
action_result.data.*.os_details.Distributed	boolean
action_result.data.*.os_details.EncryptionLevel	string
action_result.data.*.os_details.ForegroundApplicationBoost	string
action_result.data.*.os_details.FreePhysicalMemory	string
action_result.data.*.os_details.FreeSpaceInPagingFiles	string
action_result.data.*.os_details.FreeVirtualMemory	string
action_result.data.*.os_details.InstallDate	string
action_result.data.*.os_details.LargeSystemCache	string
action_result.data.*.os_details.LastBootUpTime	string
action_result.data.*.os_details.LocalDateTime	string
action_result.data.*.os_details.Locale	string
action_result.data.*.os_details.MUILanguages	string
action_result.data.*.os_details.Manufacturer	string
action_result.data.*.os_details.MaxNumberOfProcesses	string
action_result.data.*.os_details.MaxProcessMemorySize	string
action_result.data.*.os_details.Name	string
action_result.data.*.os_details.NumberOfLicensedUsers	string
action_result.data.*.os_details.NumberOfProcesses	string
action_result.data.*.os_details.NumberOfUsers	string
action_result.data.*.os_details.OSArchitecture	string
action_result.data.*.os_details.OSLanguage	string
action_result.data.*.os_details.OSProductSuite	string
action_result.data.*.os_details.OSType	string
action_result.data.*.os_details.OperatingSystemSKU	string
action_result.data.*.os_details.Organization	string
action_result.data.*.os_details.OtherTypeDescription	string
action_result.data.*.os_details.PAEEnabled	boolean
action_result.data.*.os_details.PlusProductID	string
action_result.data.*.os_details.PlusVersionNumber	string
action_result.data.*.os_details.Primary	boolean
action_result.data.*.os_details.ProductType	string
action_result.data.*.os_details.RegisteredUser	string
action_result.data.*.os_details.SerialNumber	string
action_result.data.*.os_details.ServicePackMajorVersion	string
action_result.data.*.os_details.ServicePackMinorVersion	string
action_result.data.*.os_details.SizeStoredInPagingFiles	string
action_result.data.*.os_details.Status	string
action_result.data.*.os_details.SuiteMask	string
action_result.data.*.os_details.SystemDevice	string
action_result.data.*.os_details.SystemDirectory	string	`file path`
action_result.data.*.os_details.SystemDrive	string
action_result.data.*.os_details.TotalSwapSpaceSize	string
action_result.data.*.os_details.TotalVirtualMemorySize	string
action_result.data.*.os_details.TotalVisibleMemorySize	string
action_result.data.*.os_details.Version	string
action_result.data.*.os_details.WindowsDirectory	string	`file path`
action_result.data.*.system_details.AdminPasswordStatus	string
action_result.data.*.system_details.AutomaticManagedPagefile	boolean
action_result.data.*.system_details.AutomaticResetBootOption	boolean
action_result.data.*.system_details.AutomaticResetCapability	boolean
action_result.data.*.system_details.BootOptionOnLimit	string
action_result.data.*.system_details.BootOptionOnWatchDog	string
action_result.data.*.system_details.BootROMSupported	boolean
action_result.data.*.system_details.BootupState	string
action_result.data.*.system_details.Caption	string
action_result.data.*.system_details.ChassisBootupState	string
action_result.data.*.system_details.CreationClassName	string
action_result.data.*.system_details.CurrentTimeZone	string
action_result.data.*.system_details.DNSHostName	string	`host name`
action_result.data.*.system_details.DaylightInEffect	boolean
action_result.data.*.system_details.Description	string
action_result.data.*.system_details.Domain	string	`domain`
action_result.data.*.system_details.DomainRole	string	`domain`
action_result.data.*.system_details.EnableDaylightSavingsTime	boolean
action_result.data.*.system_details.FrontPanelResetStatus	string
action_result.data.*.system_details.InfraredSupported	boolean
action_result.data.*.system_details.InitialLoadInfo	string
action_result.data.*.system_details.InstallDate	string
action_result.data.*.system_details.KeyboardPasswordStatus	string
action_result.data.*.system_details.LastLoadInfo	string
action_result.data.*.system_details.Manufacturer	string
action_result.data.*.system_details.Model	string
action_result.data.*.system_details.Name	string
action_result.data.*.system_details.NameFormat	string
action_result.data.*.system_details.NetworkServerModeEnabled	boolean
action_result.data.*.system_details.NumberOfLogicalProcessors	string
action_result.data.*.system_details.NumberOfProcessors	string
action_result.data.*.system_details.OEMLogoBitmap	string
action_result.data.*.system_details.OEMStringArray	string
action_result.data.*.system_details.PCSystemType	string
action_result.data.*.system_details.PartOfDomain	boolean	`domain`
action_result.data.*.system_details.PauseAfterReset	string
action_result.data.*.system_details.PowerManagementCapabilities	string
action_result.data.*.system_details.PowerManagementSupported	boolean
action_result.data.*.system_details.PowerOnPasswordStatus	string
action_result.data.*.system_details.PowerState	string
action_result.data.*.system_details.PowerSupplyState	string
action_result.data.*.system_details.PrimaryOwnerContact	string
action_result.data.*.system_details.PrimaryOwnerName	string
action_result.data.*.system_details.ResetCapability	string
action_result.data.*.system_details.ResetCount	string
action_result.data.*.system_details.ResetLimit	string
action_result.data.*.system_details.Roles	string
action_result.data.*.system_details.Status	string
action_result.data.*.system_details.SupportContactDescription	string
action_result.data.*.system_details.SystemStartupDelay	string
action_result.data.*.system_details.SystemStartupOptions	string
action_result.data.*.system_details.SystemStartupSetting	string
action_result.data.*.system_details.SystemType	string
action_result.data.*.system_details.ThermalState	string
action_result.data.*.system_details.TotalPhysicalMemory	string
action_result.data.*.system_details.UserName	string	`user name`
action_result.data.*.system_details.WakeUpType	string
action_result.data.*.system_details.Workgroup	string
action_result.summary.dns_hostname	string	`host name`
action_result.summary.domain	string	`domain`
action_result.summary.memory	string
action_result.summary.version	string
action_result.summary.workgroup	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'list users'

List users configured on a system

Type: investigate
Read only: True

For information on Namespaces of Windows Management Instrumentation, refer to the 'Namespace Parameter' section in the documentation.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ip_hostname	required	Hostname/IP address to get users of	string	`ip` `host name`
namespace	optional	Namespace	string

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.ip_hostname	string	`ip` `host name`
action_result.parameter.namespace	string
action_result.data.*.AccountType	string
action_result.data.*.Caption	string	`user name`
action_result.data.*.Description	string
action_result.data.*.Disabled	boolean
action_result.data.*.Domain	string	`domain`
action_result.data.*.FullName	string
action_result.data.*.InstallDate	string
action_result.data.*.LocalAccount	boolean
action_result.data.*.Lockout	boolean
action_result.data.*.Name	string
action_result.data.*.PasswordChangeable	boolean
action_result.data.*.PasswordExpires	boolean
action_result.data.*.PasswordRequired	boolean
action_result.data.*.SID	string
action_result.data.*.SIDType	string
action_result.data.*.Status	string
action_result.summary.disabled_users	numeric
action_result.summary.total_users	numeric
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'run query'

Run an arbitrary query using WQL on the system

Type: investigate
Read only: True

For information on Namespaces of Windows Management Instrumentation, refer to the 'Namespace Parameter' section in the documentation.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ip_hostname	required	Hostname/IP to run WMI query on	string	`ip` `host name`
query	required	Query (in WQL format)	string
namespace	optional	Namespace	string

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.ip_hostname	string	`ip` `host name`
action_result.parameter.namespace	string
action_result.parameter.query	string
action_result.data...AccountType	string
action_result.data...CSCreationClassName	string
action_result.data...CSName	string
action_result.data...Caption	string	`file name`
action_result.data...CommandLine	string	`file name` `file path`
action_result.data...CreationClassName	string
action_result.data...CreationDate	string
action_result.data...Description	string	`file name`
action_result.data...Disabled	boolean
action_result.data...Domain	string	`domain`
action_result.data...ExecutablePath	string	`file path` `file name`
action_result.data...ExecutionState	string
action_result.data...FullName	string
action_result.data...GroupComponent	string
action_result.data...Handle	string
action_result.data...HandleCount	string
action_result.data...InstallDate	string
action_result.data...KernelModeTime	string
action_result.data...LocalAccount	boolean
action_result.data...Lockout	boolean
action_result.data...MaximumWorkingSetSize	string
action_result.data...MinimumWorkingSetSize	string
action_result.data...Name	string	`file name`
action_result.data...OSCreationClassName	string
action_result.data...OSName	string
action_result.data...OtherOperationCount	string
action_result.data...OtherTransferCount	string
action_result.data...PageFaults	string
action_result.data...PageFileUsage	string
action_result.data...ParentProcessId	string	`pid`
action_result.data...PartComponent	string
action_result.data...PasswordChangeable	boolean
action_result.data...PasswordExpires	boolean
action_result.data...PasswordRequired	boolean
action_result.data...PeakPageFileUsage	string
action_result.data...PeakVirtualSize	string
action_result.data...PeakWorkingSetSize	string
action_result.data...Priority	string
action_result.data...PrivatePageCount	string
action_result.data...ProcessId	string	`pid`
action_result.data...QuotaNonPagedPoolUsage	string
action_result.data...QuotaPagedPoolUsage	string
action_result.data...QuotaPeakNonPagedPoolUsage	string
action_result.data...QuotaPeakPagedPoolUsage	string
action_result.data...ReadOperationCount	string
action_result.data...ReadTransferCount	string
action_result.data...SID	string
action_result.data...SIDType	string
action_result.data...SessionId	string
action_result.data...Status	string
action_result.data...TerminationDate	string
action_result.data...ThreadCount	string
action_result.data...UserModeTime	string
action_result.data...VirtualSize	string
action_result.data...WindowsVersion	string
action_result.data...WorkingSetSize	string
action_result.data...WriteOperationCount	string
action_result.data...WriteTransferCount	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

Name		Name	Last commit message	Last commit date
Latest commit History 142 Commits
.github/workflows		.github/workflows
release_notes		release_notes
wheels		wheels
wmi_client_wrapper		wmi_client_wrapper
.pre-commit-config.yaml		.pre-commit-config.yaml
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
NOTICE		NOTICE
README.md		README.md
__init__.py		__init__.py
exclude_files.txt		exclude_files.txt
logo_microsoft_wmi.svg		logo_microsoft_wmi.svg
logo_microsoft_wmi_dark.svg		logo_microsoft_wmi_dark.svg
readme.html		readme.html
requirements.txt		requirements.txt
wmi.json		wmi.json
wmi_connector.py		wmi_connector.py
wmi_consts.py		wmi_consts.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

WMI

wmi-client-wrapper

wmi-client-wrapper-py3

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'list services'

Action Parameters

Action Output

action: 'get system info'

Action Parameters

Action Output

action: 'list users'

Action Parameters

Action Output

action: 'run query'

Action Parameters

Action Output

About

Releases

Packages

Languages

License

pdros-splunk/wmi

Folders and files

Latest commit

History

Repository files navigation

WMI

wmi-client-wrapper

wmi-client-wrapper-py3

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'list services'

Action Parameters

Action Output

action: 'get system info'

Action Parameters

Action Output

action: 'list users'

Action Parameters

Action Output

action: 'run query'

Action Parameters

Action Output

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages