- Incident Responder i56 Release Notes
- What's New
- Known Issues
- Issues Fixed in Incident Responder i56.5 (General Availability)
- Issues Fixed in Incident Responder i56.6
- Issues Fixed in Incident Responder i56.7
- Issues Fixed in Incident Responder i56.8
- Issues Fixed in Incident Responder i56.9
- Issues Fixed in Incident Responder i56.10
- Issues Fixed in Incident Responder i56.11
- Issues Fixed in Incident Responder i56.12
- Issues Fixed in Incident Responder i56.13
- Issues Fixed in Incident Responder i56.14
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Configure the Microsoft Windows Management Instrumentation Service
Configure Microsoft Windows Management Instrumentation (WMI) as a service to connect to and gather information from endpoints using actions.
Prerequisites
Last updated: June 15, 2022
Ensure you have a Windows user account with the necessary permissions. To run any WMI action, you must have an account in the Administrators security group or configure a non-administrator account so it can execute WMI Control commands.
Configure a non-administrator account
To configure a non-administrator account so it can execute all WMI Control commands, you must add the account to the Distributed COM Users, Performance Monitor Users, and Event Log Readers security groups, then configure the group security settings.
1. Add the account to security groups
Open the Local User and Group Management snap-in console. There are two ways to open the console:
Open Computer Management, then navigate to System Tools > Local Users and Groups.
Run the
lusrmgr.msc
command: In the Run window, enter lusrmgr.msc, then click OK.
Add the account to the Distributed COM Users, Performance Monitor Users, and Event Log Readers security groups. There are two ways to add an account to a security group:
In the Users folder, right-click on the user, select Properties, then select the Member of tab. Click Add, then enter the group name. To validate the group name you entered, click Check Names. Click OK, click Add, then click OK.
In the Groups folder, right-click on the group, then select Properties. Click Add, then enter the user account name. To validate the name, click Check Names. Click OK, click Add, then click OK.
2. Configure security group permissions
To enable the Distributed COM Users and Performance Monitor Users security groups to access devices remotely, configure the groups' security settings.
Run the DCOMCNFG utility: In the Run window, enter DCOMCNFG, then click OK.
Navigate to Component Services > Computers, right-click My Computers, then select Properties.
Navigate to the COM Security tab, then under Launch and Activation Permissions, click Edit Limits.
Click Add, then under Enter the object names to select, enter the group name.
To validate the group name you entered, click Check Names.
Click OK, then click Add.
Assign both the Distributed COM Users and Performance Monitor Users security groups specific permissions:
In Group or user names, select a group.
Under Permissions for User, in the Allow column, select:
Local Launch
Remote Launch
Local Activation
Remote Activation
Click OK.
3. Apply WMI Control security settings to all namespaces
For the Incident Responder service to fetch data using WMI, you must give access to all classes under all namespaces for the Distributed COM Users and Performance Monitor Users security groups.
Run the winmgmt service: In the Run window, enter wmimgmt.msc, then click OK.
Right-click WMI Control (Local), then select Properties.
Navigate to the Security tab, click Root, click Security, then click Add.
For the Distributed COM Users and Performance Monitor Users security groups, assign namespaces specific permissions:
Under Enter the object names to select, enter the group name.
To validate the group name you entered, click Check Names.
Click OK.
Ensure the group is selected, then click Advanced.
Select the row with the group, then click Edit.
Under Applies to, select This namespace and subnamespaces.
Under Allow, select Execute Methods, Enable Account, and Remote Enable, then click OK.
Click OK.
Configure the Service in Exabeam Incident Responder
In the navigation bar, click the menu , select Settings, then select Core.
Under SERVICE INTEGRATIONS, select Services.
Select a service:
To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.
To manually provide the relevant information for a service, click Configure a new service.
To view all actions for a service, hover over a service, then click the information icon .
Enter information about the service:
Service Name – Enter a unique name for the service. By default, the service name is WMI.
(Optional) Description – Describe the service.
(Optional) Owner – Enter the email address of the person or group responsible for the service.
Username – Enter the user account name for the Windows user account with permissions to execute WMI commands.
Password – Enter the password to the Windows user account with permissions to execute WMI commands.
To validate the source, select TEST CONNECTIVITY.
Click CREATE SERVICE.