Stay organized with collections
Save and categorize content based on your preferences.
WMI
Integration version: 7.0
Configure WMI integration in Google Security Operations
For detailed instructions on how to configure an integration in
Google SecOps, see Configure
integrations.
Install WMI client
To run the WMI client, execute the following commands to install the WMI
client on the Google Security Operations Linux Server.
Make sure you have the appropriate permissions to run the commands (root). When
working with the Remote Agent, run the commands on the Remote Agent server.
Use the following parameters to configure the integration:
Parameter Display Name
Type
Default Value
Is mandatory
Description
Instance Name
String
N/A
No
Name of the Instance you intend to configure integration for.
Description
String
N/A
No
Description of the Instance.
Run Remotely
Checkbox
Unchecked
No
Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).
Actions
Get System Info
Description
Get information about a system.
Parameters
Parameter
Type
Default Value
Is Mandatory
Description
Server Address
String
N/A
Yes
N/A
Username
String
N/A
No
N/A
Password
String
N/A
No
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name
Value Options
Example
system_info
True/False
system_info:False
JSON Result
{"NumberOfProcessors":1,"MaxProcessMemorySize":"137438953344","SystemDrive":"C:","WakeUpType":6,"ChassisSKUNumber":"Notebook","BootROMSupported":true,"ForegroundApplicationBoost":2,"OperatingSystemSKU":126,"AdminPasswordStatus":3,"SuiteMask":272,"InstallDate":"20161205114436.000000+120","Distributed":false,"EncryptionLevel":256,"FrontPanelResetStatus":3,"Debug":false,"Organization":"","AutomaticManagedPagefile":true,"PowerSupplyState":3,"InfraredSupported":false,"LargeSystemCache":null,"CodeSet":"1252","FreeSpaceInPagingFiles":"2415000","DataExecutionPrevention_32BitApplications":true,"PrimaryOwnerContact":null,"KeyboardPasswordStatus":3,"BootStatus":[0,0,0],"MaxNumberOfProcesses":-1,"FreePhysicalMemory":"8962948","DataExecutionPrevention_Available":true,"PCSystemTypeEx":2,"CSDVersion":null,"PartOfDomain":true,"SystemFamily":"Latitude","DomainRole":1,"CurrentTimeZone":120,"OSType":18,"SystemDirectory":"C:\\\\Windows\\\\system32","Workgroup":null,"CountryCode":"1","NameFormat":null,"PAEEnabled":null,"AutomaticResetCapability":true,"DataExecutionPrevention_Drivers":true,"TotalVirtualMemorySize":"18896472","NumberOfLicensedUsers":0,"DataExecutionPrevention_SupportPolicy":2,"TotalSwapSpaceSize":null,"PowerOnPasswordStatus":3,"HypervisorPresent":false,"SystemStartupSetting":null,"LocalDateTime":"20180220173653.403000+120","SystemDevice":"\\\\Device\\\\HarddiskVolume2","PortableOperatingSystem":false,"Domain":"DOMAIN.COM","TotalPhysicalMemory":"16799850496","ChassisBootupState":3,"SystemType":"x64-based PC","DNSHostName":"PC-01","EnableDaylightSavingsTime":true,"PCSystemType":2,"PrimaryOwnerName":"Windows User","WindowsDirectory":"C:\\\\Windows","PowerState":0,"ResetCount":-1,"LastLoadInfo":null,"ServicePackMinorVersion":0,"OEMStringArray":["Dell System","1[07A0]","3[1.0]"],"BootOptionOnWatchDog":null,"Status":"OK","OSArchitecture":"64-bit","SystemStartupOptions":null,"OSLanguage":1033,"InitialLoadInfo":null,"Manufacturer":"Microsoft Corporation","BuildType":"Multiprocessor Free","FreeVirtualMemory":"9128168","OtherTypeDescription":null,"OEMLogoBitmap":null,"ServicePackMajorVersion":0,"Version":"10.0.14393","ThermalState":3,"LastBootUpTime":"20180218183758.487061+120","SizeStoredInPagingFiles":"2490368","NumberOfProcesses":133,"PowerManagementSupported":null,"CSName":"PC-01","SerialNumber":"00378-30000-00003-AA585","MUILanguages":["en-US"],"SupportContactDescription":null,"Primary":true,"SystemStartupDelay":null,"ResetLimit":-1,"ProductType":1,"RegisteredUser":"Windows User","Roles":["LM_Workstation","LM_Server","SQLServer"],"PlusProductID":null,"ResetCapability":1,"SystemSKUNumber":"07A0","OSProductSuite":256,"PauseAfterReset":"-1","NumberOfUsers":6,"BootupState":"Normal boot","Name":"Microsoft Windows 10 Enterprise N 2016 LTSB|C:\\\\Windows|\\\\Device\\\\Harddisk0\\\\Partition2","AutomaticResetBootOption":true,"Caption":"Microsoft Windows 10 Enterprise N 2016 LTSB","TotalVisibleMemorySize":"16406104","PowerManagementCapabilities":null,"Model":"Latitude 7480","PlusVersionNumber":null,"Description":"","NetworkServerModeEnabled":true,"NumberOfLogicalProcessors":4,"BootOptionOnLimit":null,"Locale":"0409","CSCreationClassName":"Win32_ComputerSystem","UserName":"DOMAIN\\\\User","BuildNumber":"14393","DaylightInEffect":false,"CreationClassName":"Win32_OperatingSystem","BootDevice":"\\\\Device\\\\HarddiskVolume1"}
List Services
Description
Get the list of installed services on the system.
Parameters
Parameter
Type
Default Value
Is Mandatory
Description
Server Address
String
N/A
Yes
N/A
Username
String
N/A
No
N/A
Password
String
N/A
No
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name
Value Options
Example
services
True/False
services:False
JSON Result
[{"DisplayName":"Adobe Flash Player Update Service","ServiceSpecificExitCode":0,"State":"Stopped","SystemName":"PC-01","ErrorControl":"Normal","Status":"OK","ProcessId":0,"DesktopInteract":false,"Started":false,"AcceptStop":false,"CheckPoint":0,"PathName":"C:\\\\Windows\\\\SysWOW64\\\\Macromed\\\\Flash\\\\FlashPlayerUpdateService.exe","WaitHint":0,"Name":"AdobeFlashPlayerUpdateSvc","InstallDate":null,"Caption":"Adobe Flash Player Update Service","StartMode":"Manual","Description":"This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes.","ServiceType":"Own Process","TagId":0,"DelayedAutoStart":false,"StartName":"LocalSystem","AcceptPause":false,"CreationClassName":"Win32_Service","SystemCreationClassName":"Win32_ComputerSystem","ExitCode":0}]
List Users
Description
List all users configured on a system.
Parameters
Parameter
Type
Default Value
Is Mandatory
Description
Server Address
String
N/A
Yes
N/A
Username
String
N/A
No
N/A
Password
String
N/A
No
User's full name.
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name
Value Options
Example
users
N/A
N/A
JSON Result
[{"Status":"Degraded","Domain":"PC-01","Description":"Built-in account for administering the computer/domain","InstallDate":null,"Caption":"PC-01\\\\Administrator","Disabled":true,"PasswordChangeable":true,"Lockout":false,"AccountType":512,"SID":"S-1-5-21-3501119061-1410835827-1917537121-500","LocalAccount":true,"FullName":"","SIDType":1,"PasswordRequired":true,"PasswordExpires":false,"Name":"Administrator"}]
Ping
Description
Test Connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name
Value Options
Example
is_connected
True/False
is_connected:False
JSON Result
N/A
Run Query
Description
Run an arbitrary query using WQL on the system.
Parameters
Parameter
Type
Default Value
Is Mandatory
Description
Server Address
String
N/A
Yes
N/A
Username
String
N/A
No
N/A
Password
String
N/A
No
N/A
WQL Query
String
N/A
Yes
Query content(e.g: SELECT Caption, Description FROM Win32_LogicalDisk WHERE DriveType <> 3).
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document details how to configure and use the WMI integration (version 7.0) within Google Security Operations SOAR, including instructions for installing the WMI client on a Linux server.\u003c/p\u003e\n"],["\u003cp\u003eThe integration setup includes parameters such as Instance Name, Description, and the option to Run Remotely, with the ability to configure and support multiple instances.\u003c/p\u003e\n"],["\u003cp\u003eSeveral actions are available through this integration, including Get System Info, List Services, List Users, Ping for connectivity testing, and Run Query to execute custom WQL queries.\u003c/p\u003e\n"],["\u003cp\u003eEach action offers specific parameters (like Server Address, Username, and Password) and provides JSON results, which can be used to obtain data regarding the target system.\u003c/p\u003e\n"],["\u003cp\u003eThe document outlines how to install the WMI client and provides additional support via a community forum link for any further help needed.\u003c/p\u003e\n"]]],[],null,["# WMI\n===\n\nIntegration version: 7.0\n\nConfigure WMI integration in Google Security Operations\n-------------------------------------------------------\n\nFor detailed instructions on how to configure an integration in\nGoogle SecOps, see [Configure\nintegrations](/chronicle/docs/soar/respond/integrations-setup/configure-integrations).\n\n### Install WMI client\n\nTo run the WMI client, execute the following commands to install the WMI\nclient on the Google Security Operations Linux Server.\nMake sure you have the appropriate permissions to run the commands (root). When\nworking with the Remote Agent, run the commands on the Remote Agent server. \n\n wget http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/wmi-1.3.14-4.el7.art.x86_64.rpm\n sudo yum localinstall wmi-1.3.14-4.el7.art.x86_64.rpm\n\n### Integration parameters\n\nUse the following parameters to configure the integration:\n\n| **Note:** You can make changes at a later stage if needed. Once configured, the Instances can be used in Playbooks. For detailed information on configuring and supporting multiple instances, please see [Supporting multiple instances](/chronicle/docs/soar/respond/integrations-setup/supporting-multiple-instances).\n\nActions\n-------\n\n### Get System Info\n\n#### Description\n\nGet information about a system.\n\n#### Parameters\n\n#### Use cases\n\nN/A\n\n#### Run On\n\nThis action runs on all entities.\n\n#### Action Results\n\n##### Entity Enrichment\n\nN/A\n\n##### Insights\n\nN/A\n\n##### Script Result\n\n##### JSON Result\n\n {\n \"NumberOfProcessors\": 1,\n \"MaxProcessMemorySize\": \"137438953344\",\n \"SystemDrive\": \"C:\",\n \"WakeUpType\": 6,\n \"ChassisSKUNumber\": \"Notebook\",\n \"BootROMSupported\": true,\n \"ForegroundApplicationBoost\": 2,\n \"OperatingSystemSKU\": 126,\n \"AdminPasswordStatus\": 3,\n \"SuiteMask\": 272,\n \"InstallDate\": \"20161205114436.000000+120\",\n \"Distributed\": false,\n \"EncryptionLevel\": 256,\n \"FrontPanelResetStatus\": 3,\n \"Debug\": false,\n \"Organization\": \"\",\n \"AutomaticManagedPagefile\": true,\n \"PowerSupplyState\": 3,\n \"InfraredSupported\": false,\n \"LargeSystemCache\": null,\n \"CodeSet\": \"1252\",\n \"FreeSpaceInPagingFiles\": \"2415000\",\n \"DataExecutionPrevention_32BitApplications\": true,\n \"PrimaryOwnerContact\": null,\n \"KeyboardPasswordStatus\": 3,\n \"BootStatus\": [0, 0, 0],\n \"MaxNumberOfProcesses\": -1,\n \"FreePhysicalMemory\": \"8962948\",\n \"DataExecutionPrevention_Available\": true,\n \"PCSystemTypeEx\": 2,\n \"CSDVersion\": null,\n \"PartOfDomain\": true,\n \"SystemFamily\": \"Latitude\",\n \"DomainRole\": 1,\n \"CurrentTimeZone\": 120,\n \"OSType\": 18,\n \"SystemDirectory\": \"C:\\\\\\\\Windows\\\\\\\\system32\",\n \"Workgroup\": null,\n \"CountryCode\": \"1\",\n \"NameFormat\": null,\n \"PAEEnabled\": null,\n \"AutomaticResetCapability\": true,\n \"DataExecutionPrevention_Drivers\": true,\n \"TotalVirtualMemorySize\": \"18896472\",\n \"NumberOfLicensedUsers\": 0,\n \"DataExecutionPrevention_SupportPolicy\": 2,\n \"TotalSwapSpaceSize\": null,\n \"PowerOnPasswordStatus\": 3,\n \"HypervisorPresent\": false,\n \"SystemStartupSetting\": null,\n \"LocalDateTime\": \"20180220173653.403000+120\",\n \"SystemDevice\": \"\\\\\\\\Device\\\\\\\\HarddiskVolume2\",\n \"PortableOperatingSystem\": false,\n \"Domain\": \"DOMAIN.COM\",\n \"TotalPhysicalMemory\": \"16799850496\",\n \"ChassisBootupState\": 3,\n \"SystemType\": \"x64-based PC\",\n \"DNSHostName\": \"PC-01\",\n \"EnableDaylightSavingsTime\": true,\n \"PCSystemType\": 2,\n \"PrimaryOwnerName\": \"Windows User\",\n \"WindowsDirectory\": \"C:\\\\\\\\Windows\",\n \"PowerState\": 0,\n \"ResetCount\": -1,\n \"LastLoadInfo\": null,\n \"ServicePackMinorVersion\": 0,\n \"OEMStringArray\": [\"Dell System\", \"1[07A0]\", \"3[1.0]\"],\n \"BootOptionOnWatchDog\": null,\n \"Status\": \"OK\",\n \"OSArchitecture\": \"64-bit\",\n \"SystemStartupOptions\": null,\n \"OSLanguage\": 1033,\n \"InitialLoadInfo\": null,\n \"Manufacturer\": \"Microsoft Corporation\",\n \"BuildType\": \"Multiprocessor Free\",\n \"FreeVirtualMemory\": \"9128168\",\n \"OtherTypeDescription\": null,\n \"OEMLogoBitmap\": null,\n \"ServicePackMajorVersion\": 0,\n \"Version\": \"10.0.14393\",\n \"ThermalState\": 3,\n \"LastBootUpTime\": \"20180218183758.487061+120\",\n \"SizeStoredInPagingFiles\": \"2490368\",\n \"NumberOfProcesses\": 133,\n \"PowerManagementSupported\": null,\n \"CSName\": \"PC-01\",\n \"SerialNumber\": \"00378-30000-00003-AA585\",\n \"MUILanguages\": [\"en-US\"],\n \"SupportContactDescription\": null,\n \"Primary\": true,\n \"SystemStartupDelay\": null,\n \"ResetLimit\": -1,\n \"ProductType\": 1,\n \"RegisteredUser\": \"Windows User\",\n \"Roles\": [\"LM_Workstation\",\n \"LM_Server\",\n \"SQLServer\"],\n \"PlusProductID\": null,\n \"ResetCapability\": 1,\n \"SystemSKUNumber\": \"07A0\",\n \"OSProductSuite\": 256,\n \"PauseAfterReset\": \"-1\",\n \"NumberOfUsers\": 6,\n \"BootupState\": \"Normal boot\",\n \"Name\": \"Microsoft Windows 10 Enterprise N 2016 LTSB|C:\\\\\\\\Windows|\\\\\\\\Device\\\\\\\\Harddisk0\\\\\\\\Partition2\",\n \"AutomaticResetBootOption\": true,\n \"Caption\": \"Microsoft Windows 10 Enterprise N 2016 LTSB\",\n \"TotalVisibleMemorySize\": \"16406104\",\n \"PowerManagementCapabilities\": null,\n \"Model\": \"Latitude 7480\",\n \"PlusVersionNumber\": null,\n \"Description\": \"\",\n \"NetworkServerModeEnabled\": true,\n \"NumberOfLogicalProcessors\": 4,\n \"BootOptionOnLimit\": null,\n \"Locale\": \"0409\",\n \"CSCreationClassName\": \"Win32_ComputerSystem\",\n \"UserName\": \"DOMAIN\\\\\\\\User\",\n \"BuildNumber\": \"14393\",\n \"DaylightInEffect\": false,\n \"CreationClassName\": \"Win32_OperatingSystem\",\n \"BootDevice\": \"\\\\\\\\Device\\\\\\\\HarddiskVolume1\"\n }\n\n### List Services\n\n#### Description\n\nGet the list of installed services on the system.\n\n#### Parameters\n\n#### Use cases\n\nN/A\n\n#### Run On\n\nThis action runs on all entities.\n\n#### Action Results\n\n##### Entity Enrichment\n\nN/A\n\n##### Insights\n\nN/A\n\n##### Script Result\n\n##### JSON Result\n\n [\n {\n \"DisplayName\": \"Adobe Flash Player Update Service\",\n \"ServiceSpecificExitCode\": 0,\n \"State\": \"Stopped\",\n \"SystemName\": \"PC-01\",\n \"ErrorControl\": \"Normal\",\n \"Status\": \"OK\",\n \"ProcessId\": 0,\n \"DesktopInteract\": false,\n \"Started\": false,\n \"AcceptStop\": false,\n \"CheckPoint\": 0,\n \"PathName\": \"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Macromed\\\\\\\\Flash\\\\\\\\FlashPlayerUpdateService.exe\",\n \"WaitHint\": 0,\n \"Name\": \"AdobeFlashPlayerUpdateSvc\",\n \"InstallDate\": null,\n \"Caption\": \"Adobe Flash Player Update Service\",\n \"StartMode\": \"Manual\",\n \"Description\": \"This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes.\",\n \"ServiceType\": \"Own Process\",\n \"TagId\": 0,\n \"DelayedAutoStart\": false,\n \"StartName\": \"LocalSystem\",\n \"AcceptPause\": false,\n \"CreationClassName\": \"Win32_Service\",\n \"SystemCreationClassName\": \"Win32_ComputerSystem\",\n \"ExitCode\": 0\n }\n ]\n\n### List Users\n\n#### Description\n\nList all users configured on a system.\n\n#### Parameters\n\n#### Use cases\n\nN/A\n\n#### Run On\n\nThis action runs on all entities.\n\n#### Action Results\n\n##### Entity Enrichment\n\nN/A\n\n##### Insights\n\nN/A\n\n##### Script Result\n\n##### JSON Result\n\n [\n {\n \"Status\": \"Degraded\",\n \"Domain\": \"PC-01\",\n \"Description\": \"Built-in account for administering the computer/domain\",\n \"InstallDate\": null,\n \"Caption\": \"PC-01\\\\\\\\Administrator\",\n \"Disabled\": true,\n \"PasswordChangeable\": true,\n \"Lockout\": false,\n \"AccountType\": 512,\n \"SID\": \"S-1-5-21-3501119061-1410835827-1917537121-500\",\n \"LocalAccount\": true,\n \"FullName\": \"\",\n \"SIDType\": 1,\n \"PasswordRequired\": true,\n \"PasswordExpires\": false,\n \"Name\": \"Administrator\"\n }\n ]\n\n### Ping\n\n#### Description\n\nTest Connectivity.\n\n#### Parameters\n\nN/A\n\n#### Use cases\n\nN/A\n\n#### Run On\n\nThis action runs on all entities.\n\n#### Action Results\n\n##### Entity Enrichment\n\nN/A\n\n##### Insights\n\nN/A\n\n##### Script Result\n\n##### JSON Result\n\n N/A\n\n### Run Query\n\n#### Description\n\nRun an arbitrary query using WQL on the system.\n\n#### Parameters\n\n#### Use cases\n\nN/A\n\n#### Run On\n\nThis action runs on all entities.\n\n#### Action Results\n\n##### Entity Enrichment\n\nN/A\n\n##### Insights\n\nN/A\n\n##### Script Result\n\n##### JSON Result\n\n [\n {\n \"Caption\": \"C:\",\n \"Description\": \"Local Fixed Disk\",\n \"DeviceID\": \"C:\"\n },\n {\n \"Caption\": \"I:\",\n \"Description\": \"Local Fixed Disk\",\n \"DeviceID\": \"I:\"\n }\n ]\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
