Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
#
OverviewThe configuration manager provides the overall Configuration Management (CM) infrastructure and environment to the product development team (formerly known as SCCM).
This integration was integrated and tested with version 1906 of Microsoft Endpoint Configuration Manager.
#
Prerequisites- This integration requires root access in order to execute commands. If you configured the server to run Docker images with a non-root internal user make sure to exclude the demisto/powershell-ubuntu Docker image as documented here
- Installation and configuration for Windows Remote Management to support a PowerShell session is a prerequisite in order to support this integration. For more information, refer to the following Microsoft article.
- PowerShell Remote sessions are created over port 5985 (Microsoft Web service management/WinRm). This port needs to be opened from XSOAR to the hosts on the local and network firewalls.
- Authentication is NTLM-based.
- The integration requires a valid domain user with the permission set needed to perform the required remote tasks.
- Configuration Manager clients must be running the client from the 1706 release, or later in order to run scripts commands.
- The integration runs PowerShell remoting over SSH, which requires OpenSSH. For more information, refer to the following Microsoft article. In order to use the integration, you need to be able to ssh from the Cortex XSOAR / engine machine to the ECM machine.
- To use scripts, you must be a member of the appropriate Configuration Manager security role.
- To use the ms-ecm-script-create command, your account must have Create permissions for SMS Scripts.
- To use the ms-ecm-script-approve command, your account must have Approve permissions for SMS Scripts.
- To use the ms-ecm-script-invoke command, your account must have Run Script permissions for Collections.
- To use the ms-ecm-service-stop, ms-ecm-service-start, and ms-ecm-service-restart commands, your account must have permissions to use all scripts commands
#
Configure Microsoft Endpoint Configuration Manager in CortexParameter | Description | Required |
---|---|---|
ComputerName | ECM Server URL. (e.g., 192.168.64.128) | True |
credentials | Username. (i.e, DOMAIN\username) | True |
SiteCode | ECM Site Code. | True |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ms-ecm-user-last-log-onGets the name of the last user who logged in to a given device.
#
Base Commandms-ecm-user-last-log-on
#
InputArgument Name | Description | Required |
---|---|---|
device_name | The name of a device. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.LastLogOnUser.IPAddresses | string | The IP addresses of the device. |
MicrosoftECM.LastLogOnUser.LastLogonTimestamp | date | The date of the last login to the device. |
MicrosoftECM.LastLogOnUser.LastLogonUserName | string | The name of the last user who logged in to the device. |
MicrosoftECM.LastLogOnUser.DeviceName | string | The name of the device. |
#
Command Example!ms-ecm-user-last-log-on device_name=EC2AMAZ-2AKQ815
#
Context Example#
Human Readable Output#
Last log on user on EC2AMAZ-2AKQ815
LastLogonUserName LastLogonTimestamp DeviceName IPAddresses 2020-11-12T06:07:29Z EC2AMAZ-2AKQ815 ["2.2.2.2","fe80::81c5:1670:9363:a40b"]
#
ms-ecm-collection-listGets a Configuration Manager collection.
#
Base Commandms-ecm-collection-list
#
InputArgument Name | Description | Required |
---|---|---|
collection_type | A type for the collection. Valid values are: "User" and "Device." | Required |
collection_id | A collection ID. If you do not specify a collection, all collections in the hierarchy are returned. (You can retrieve the collection ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | A collection name. If you do not specify a collection, all collections in the hierarchy are returned. (You can retrieve the collection name via !ms-ecm-collection-list collection_type="Device" ) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Collections.Name | string | The collection name. |
MicrosoftECM.Collections.ID | string | Unique auto-generated ID containing eight characters. |
MicrosoftECM.Collections.Type | string | The type of the collection. |
MicrosoftECM.Collections.Comment | string | General comment or note that documents the collection. |
MicrosoftECM.Collections.CurrentStatus | string | Current status of the collection. |
MicrosoftECM.Collections.HasProvisionedMember | boolean | Whether this collection has provisioned members. |
MicrosoftECM.Collections.IncludeExcludeCollectionsCount | number | The number of collections that are included and excluded in this collection. |
MicrosoftECM.Collections.IsBuiltIn | boolean | Whether the collection is built-in. |
MicrosoftECM.Collections.IsReferenceCollection | boolean | Whether the collection is not limited by another collection. |
MicrosoftECM.Collections.LastChangeTime | date | Date and time of when the collection was last modified in any way. |
MicrosoftECM.Collections.LastMemberChangeTime | date | Date and time of when the collection membership was last modified. |
MicrosoftECM.Collections.LastRefreshTime | date | Date and time of when the collection membership was last refreshed. |
MicrosoftECM.Collections.LimitToCollectionID | string | The ID of the collection to limit the query results to. |
MicrosoftECM.Collections.LimitToCollectionName | string | The name of the collection to limit the query results to. |
MicrosoftECM.Collections.LocalMemberCount | number | The number of members visible at the local site. |
MicrosoftECM.Collections.MemberClassName | string | Name of the class having instances that are the members of the collection. |
MicrosoftECM.Collections.MemberCount | number | The number of collection members. |
MicrosoftECM.Collections.UseCluster | boolean | Whether this collection is a server group. |
MicrosoftECM.Collections.CollectionRules | string | Name of the defining membership criteria for the collection. |
#
Command Example!ms-ecm-collection-list collection_name="All Systems" collection_type=Device
#
Context Example#
Human Readable Output#
Collection List
Comment LastMemberChangeTime LimitToCollectionName HasProvisionedMember LocalMemberCount IsBuiltIn IsReferenceCollection Type CollectionRules MemberCount MemberClassName Name ID IncludeExcludeCollectionsCount UseCluster LastChangeTime LimitToCollectionID CurrentStatus LastRefreshTime All Systems 2020-11-01T21:49:33Z True 5 True True Device
instance of SMS_CollectionRuleQuery
{
QueryExpression = "select * from sms_r_system";
QueryID = 1;
RuleName = "All Systems";
};
,
instance of SMS_CollectionRuleQuery
{
QueryExpression = "select SMS_R_UNKNOWNSYSTEM.ResourceID,SMS_R_UNKNOWNSYSTEM.ResourceType,SMS_R_UNKNOWNSYSTEM.Name,SMS_R_UNKNOWNSYSTEM.Name,SMS_R_UNKNOWNSYSTEM.Name from SMS_R_UnknownSystem";
QueryID = 2;
RuleName = "All Unknown Computers";
};5 SMS_CM_RES_COLL_SMS00001 All Systems SMS00001 0 False 2019-04-17T14:07:58Z READY 2020-11-19T04:00:19Z
#
ms-ecm-device-listLists a Configuration Manager device.
#
Base Commandms-ecm-device-list
#
InputArgument Name | Description | Required |
---|---|---|
collection_id | Specifies an ID for a device collection (You can retrieve the collection ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | Specifies the name of a device collection (You can retrieve the collection name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
limit | The maximum number of devices to be returned. Default is "100". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Devices.Name | string | The name of the device. |
MicrosoftECM.Devices.ResourceID | number | Unique Configuration Manager-supplied ID for the resource. |
#
Command Example!ms-ecm-device-list collection_name="All Systems" limit=1
#
Context Example#
Human Readable Output#
Devices List
DeviceName ResourceID EC2AMAZ-2AKQ815 16777220
#
ms-ecm-script-listGets Configuration Manager PowerShell scripts.
#
Base Commandms-ecm-script-list
#
InputArgument Name | Description | Required |
---|---|---|
author | The author of the script. (You can retrieve the name of the author of the script via the !ms-ecm-script-list command.) | Optional |
script_name | The script name. (You can retrieve the script name via the !ms-ecm-script-list command.) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Scripts.ApprovalState | string | The approval state of the script. |
MicrosoftECM.Scripts.Approver | string | The approver of the script. |
MicrosoftECM.Scripts.Author | string | The author of the script. |
MicrosoftECM.Scripts.Comment | string | A short comment about the script. |
MicrosoftECM.Scripts.LastUpdateTime | date | Date of the last script update. |
MicrosoftECM.Scripts.Parameterlist | string | The parameter list of the script. |
MicrosoftECM.Scripts.Script | string | The code of the script. |
MicrosoftECM.Scripts.ScriptGuid | string | The unique identifier of the script. |
MicrosoftECM.Scripts.ScriptHash | string | The hash of the script. |
MicrosoftECM.Scripts.ScriptHashAlgorithm | string | The algorithm with which the script hash was generated. |
MicrosoftECM.Scripts.ScriptName | string | The name of the script. |
MicrosoftECM.Scripts.ScriptType | string | The type of the script. |
MicrosoftECM.Scripts.ScriptVersion | number | The version of the script. |
#
Command Example!ms-ecm-script-list script_name="XSOAR StartService"
#
Context Example#
Human Readable Output#
Scripts List
ScriptHash Script Parameterlist ScriptHashAlgorithm ScriptGuid Comment ApprovalState ScriptType ScriptVersion LastUpdateTime ScriptName Author Approver C19588A7660DF68072866BDFA37FE558A55DC350FD3BB0977245199CD4264752 ��Get-Service 'dnscache' -ErrorAction Stop | Start-Service -PassThru -ErrorAction Stop SHA256 1984C9F9-7DCE-4191-AE20-B21281CB635B XSOAR StartService script Approved 0 1 2020-11-19T14:28:36Z XSOAR StartService DEMISTO\sccmadmin DEMISTO\sccmadmin
#
ms-ecm-script-createCreates a new Powershell script.
#
Base Commandms-ecm-script-create
#
InputArgument Name | Description | Required |
---|---|---|
script_file_entry_id | The entry ID of the script file. | Optional |
script_text | The text of the string. | Optional |
script_name | The name of the script. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Scripts.ApprovalState | string | The approval state of the script. |
MicrosoftECM.Scripts.Approver | string | The approver of the script. |
MicrosoftECM.Scripts.Author | string | The author of the script. |
MicrosoftECM.Scripts.Comment | string | A short comment about the script. |
MicrosoftECM.Scripts.LastUpdateTime | date | Date of the last script update. |
MicrosoftECM.Scripts.Parameterlist | string | The parameter list of the script. |
MicrosoftECM.Scripts.Script | string | The code of the script. |
MicrosoftECM.Scripts.ScriptGuid | string | The unique identifier of the script. |
MicrosoftECM.Scripts.ScriptHash | string | The hash of the script. |
MicrosoftECM.Scripts.ScriptHashAlgorithm | string | The algorithm with which the script hash was generated. |
MicrosoftECM.Scripts.ScriptName | string | The name of the script. |
MicrosoftECM.Scripts.ScriptType | string | The type of the script. |
MicrosoftECM.Scripts.ScriptVersion | number | The version of the script. |
#
Command Example!ms-ecm-script-create script_name="My new script" script_text="$PSVersionTable"
#
Context Example#
Human Readable Output#
Scripts List
Comment Parameterlist ScriptHashAlgorithm Script Approver Author ScriptName ScriptHash LastUpdateTime ScriptVersion ApprovalState ScriptGuid ScriptType SHA256 ��$PSVersionTable DEMISTO\sccmadmin My new script CE09E98D654CF613A0D219B744B56392E8356430534F309F715960E45A1417F8 2020-11-19T14:50:44Z 1 Waiting for approval 91B1B3C9-D6C5-4096-A24D-24838F8646C5 0
#
ms-ecm-script-invokeInvokes a script in the Configuration Manager.
#
Base Commandms-ecm-script-invoke
#
InputArgument Name | Description | Required |
---|---|---|
script_guid | The script ID. (You can retrieve the script ID via the via !ms-ecm-script-list command.) | Required |
collection_id | The collection ID. (You can retrieve the collection ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | The collection name. (You can retrieve the collection name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
device_name | A device name in Configuration Manager. | Optional |
poll_results | Whether to poll for the script invocation results. Default is "false". | Optional |
timeout | The timeout in seconds to poll for invocation results. Default is "30". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.ScriptsInvocationResults.OperationId | number | The script invocation operation ID. |
MicrosoftECM.ScriptsInvocationResults.CollectionId | string | The collection ID of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.CollectionName | string | The collection name of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.DeviceName | string | The name of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.ResourceId | number | The resource ID of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.LastUpdateTime | date | The last time the invocation result object was updated. |
MicrosoftECM.ScriptsInvocationResults.ScriptExecutionState | string | The state of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptExitCode | number | The exit code of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptGuid | string | The unique identifier of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptLastModifiedDate | date | The date of the script's last modification. |
MicrosoftECM.ScriptsInvocationResults.ScriptName | string | The name of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutput | string | The output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutputHash | string | The hash of the output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptVersion | number | The version of the script when it was invoked. |
MicrosoftECM.ScriptsInvocationResults.TaskID | string | The unique identifier of the invocation. |
#
Command Example!ms-ecm-script-invoke script_guid=394EDB29-5D89-4B9B-9745-A1F6DC8214E2 collection_name="All Systems" poll_results=true
#
Context Example#
Human Readable Output#
Script Invocation Results
CollectionName ScriptExitCode OperationId ScriptGuid LastUpdateTime ScriptOutputHash TaskID ScriptVersion ScriptExecutionState ScriptOutput ScriptName ScriptLastModifiedDate DeviceName ResourceId CollectionId All Systems 0 16777872 394EDB29-5D89-4B9B-9745-A1F6DC8214E2 2020-11-19T14:51:20Z EF8CDB402162E39E41C92FB87B8C54F8D3E5E8805ABC58E5BE6E31DBE94378CB {111F6FAA-5D5A-4693-9670-0A0184EC8766} 1 Succeeded {"PSVersion":{"Major":5,"Minor":1,"Build":14393,"Revision":2828,"MajorRevision":0,"MinorRevision":2828},"PSEdition":"Desktop","PSCompatibleVersions":[{"Major":1,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":2,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":3,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":4,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":5,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":5,"Minor":1,"Build":14393,"Revision":2828,"MajorRevision":0,"MinorRevision":2828}],"BuildVersion":{"Major":10,"Minor":0,"Build":14393,"Revision":2828,"MajorRevision":0,"MinorRevision":2828},"CLRVersion":{"Major":4,"Minor":0,"Build":30319,"Revision":42000,"MajorRevision":0,"MinorRevision":-23536},"WSManStackVersion":{"Major":3,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},"PSRemotingProtocolVersion":{"Major":2,"Minor":3,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},"SerializationVersion":{"Major":1,"Minor":1,"Build":0,"Revision":1,"MajorRevision":0,"MinorRevision":1}} Itay 2020-09-24T14:29:14Z EC2AMAZ-PHPTDJV 16777221 SMS00001 All Systems 0 16777872 394EDB29-5D89-4B9B-9745-A1F6DC8214E2 2020-11-19T14:51:20Z ADC6BF52B8EA29483BAB196925A0D52A2703A7386E289BBF6AA70E108399DA0F {111F6FAA-5D5A-4693-9670-0A0184EC8766} 1 Succeeded {"PSVersion":{"Major":5,"Minor":1,"Build":14393,"Revision":2608,"MajorRevision":0,"MinorRevision":2608},"PSEdition":"Desktop","PSCompatibleVersions":[{"Major":1,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":2,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":3,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":4,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":5,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":5,"Minor":1,"Build":14393,"Revision":2608,"MajorRevision":0,"MinorRevision":2608}],"BuildVersion":{"Major":10,"Minor":0,"Build":14393,"Revision":2608,"MajorRevision":0,"MinorRevision":2608},"CLRVersion":{"Major":4,"Minor":0,"Build":30319,"Revision":42000,"MajorRevision":0,"MinorRevision":-23536},"WSManStackVersion":{"Major":3,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},"PSRemotingProtocolVersion":{"Major":2,"Minor":3,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},"SerializationVersion":{"Major":1,"Minor":1,"Build":0,"Revision":1,"MajorRevision":0,"MinorRevision":1}} Itay 2020-09-24T14:29:14Z EC2AMAZ-TB8VCPN 16777222 SMS00001 All Systems 0 16777872 394EDB29-5D89-4B9B-9745-A1F6DC8214E2 2020-11-19T14:51:20Z 7E59C0C20E04A920734651297E46C7E7C0284E41B69B4E4DC3888D1767BA807D {111F6FAA-5D5A-4693-9670-0A0184EC8766} 1 Succeeded {"PSVersion":{"Major":5,"Minor":1,"Build":14393,"Revision":2969,"MajorRevision":0,"MinorRevision":2969},"PSEdition":"Desktop","PSCompatibleVersions":[{"Major":1,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":2,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":3,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":4,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":5,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},{"Major":5,"Minor":1,"Build":14393,"Revision":2969,"MajorRevision":0,"MinorRevision":2969}],"BuildVersion":{"Major":10,"Minor":0,"Build":14393,"Revision":2969,"MajorRevision":0,"MinorRevision":2969},"CLRVersion":{"Major":4,"Minor":0,"Build":30319,"Revision":42000,"MajorRevision":0,"MinorRevision":-23536},"WSManStackVersion":{"Major":3,"Minor":0,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},"PSRemotingProtocolVersion":{"Major":2,"Minor":3,"Build":-1,"Revision":-1,"MajorRevision":-1,"MinorRevision":-1},"SerializationVersion":{"Major":1,"Minor":1,"Build":0,"Revision":1,"MajorRevision":0,"MinorRevision":1}} Itay 2020-09-24T14:29:14Z EC2AMAZ-2AKQ815 16777220 SMS00001
#
ms-ecm-script-approveApproves a Configuration Manager PowerShell script.
#
Base Commandms-ecm-script-approve
#
InputArgument Name | Description | Required |
---|---|---|
comment | A comment about the approval of the script. | Required |
script_guid | Specifies the script ID. (You can retrieve the script ID via the !ms-ecm-script-list command.) | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!ms-ecm-script-approve comment="Some comment" script_guid=394EDB29-5D89-4B9B-9745-A1F6DC8214E2
#
Human Readable Output#
Script was approved successfully
#
ms-ecm-device-collection-createCreates a Configuration Manager collection.
#
Base Commandms-ecm-device-collection-create
#
InputArgument Name | Description | Required |
---|---|---|
comment | A comment for the collection. | Required |
collection_name | A name for the collection. | Required |
limiting_collection_name | The name of a collection to use as a scope for this collection (You can retrieve the name of the collection via !ms-ecm-collection-list collection_type="Device" .) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Collections.Name | string | The collection name. |
MicrosoftECM.Collections.ID | string | Unique auto-generated ID containing eight characters. |
MicrosoftECM.Collections.Type | string | The type of the collection. |
MicrosoftECM.Collections.Comment | string | General comment or note that documents the collection. |
MicrosoftECM.Collections.CurrentStatus | string | Current status of the collection. |
MicrosoftECM.Collections.HasProvisionedMember | boolean | Whether this collection has provisioned members. |
MicrosoftECM.Collections.IncludeExcludeCollectionsCount | number | The number of collections that are included and excluded with this collection. |
MicrosoftECM.Collections.IsBuiltIn | boolean | Whether the collection is built-in. |
MicrosoftECM.Collections.IsReferenceCollection | boolean | Whether the collection is not limited by another collection. |
MicrosoftECM.Collections.LastChangeTime | date | Date and time of when the collection was last altered in any way. |
MicrosoftECM.Collections.LastMemberChangeTime | date | Date and time of when the collection membership was last modified. |
MicrosoftECM.Collections.LastRefreshTime | date | Date and time of when the collection membership was last refreshed. |
MicrosoftECM.Collections.LimitToCollectionID | string | The ID of the collection to limit the query results to. |
MicrosoftECM.Collections.LimitToCollectionName | string | The name of the collection to limit the query results to. |
MicrosoftECM.Collections.LocalMemberCount | number | The number of members visible at the local site. |
MicrosoftECM.Collections.MemberClassName | string | Class name having instances that are the members of the collection. |
MicrosoftECM.Collections.MemberCount | number | The number of collection members. |
MicrosoftECM.Collections.UseCluster | boolean | Whether this collection is a server group. |
MicrosoftECM.Collections.CollectionRules | string | Name of the defining membership criteria for the collection. |
#
Command Example!ms-ecm-device-collection-create collection_name="my new collection name" comment="my collection comment" limiting_collection_name="All Systems"
#
Context Example#
Human Readable Output#
Collection List
Name ID Type Comment CurrentStatus CollectionRules HasProvisionedMember IncludeExcludeCollectionsCount IsBuiltIn IsReferenceCollection LastChangeTime LastMemberChangeTime LastRefreshTime LimitToCollectionID LimitToCollectionName LocalMemberCount MemberClassName MemberCount UseCluster my new collection name ISR0001F my collection comment False 0 False False 2020-11-29T15:09:46Z 1980-00-01T00:01:00Z 1980-00-01T00:01:00Z SMS00001 All Systems 0 SMS_CM_RES_COLL_ISR0001F 0 False
#
ms-ecm-device-collection-members-addAdds a direct rule membership to a device collection.
#
Base Commandms-ecm-device-collection-members-add
#
InputArgument Name | Description | Required |
---|---|---|
collection_id | The ID of a device collection. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | The name of a device collection. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
device_resource_ids | A comma-separated list of device resource IDs. (You can retrieve the device resource IDs via the !ms-ecm-device-list command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Collections.Name | string | The collection name. |
MicrosoftECM.Collections.ID | string | Unique auto-generated ID containing eight characters. |
MicrosoftECM.Collections.Type | string | The type of the collection. |
MicrosoftECM.Collections.Comment | string | General comment or note that documents the collection. |
MicrosoftECM.Collections.CurrentStatus | string | Current status of the collection. |
MicrosoftECM.Collections.HasProvisionedMember | boolean | Whether the collection has provisioned members. |
MicrosoftECM.Collections.IncludeExcludeCollectionsCount | number | The number of collections that are included and excluded with this collection. |
MicrosoftECM.Collections.IsBuiltIn | boolean | Whether the collection is built-in. |
MicrosoftECM.Collections.IsReferenceCollection | boolean | Whether the collection is not limited by another collection. |
MicrosoftECM.Collections.LastChangeTime | date | Date and time of when the collection was last modified in any way. |
MicrosoftECM.Collections.LastMemberChangeTime | date | Date and time of when the collection membership was last modified. |
MicrosoftECM.Collections.LastRefreshTime | date | Date and time of when the collection membership was last refreshed. |
MicrosoftECM.Collections.LimitToCollectionID | string | The ID of the collection to limit the query results to. |
MicrosoftECM.Collections.LimitToCollectionName | string | The name of the collection to limit the query results to. |
MicrosoftECM.Collections.LocalMemberCount | number | The number of members visible at the local site. |
MicrosoftECM.Collections.MemberClassName | string | Class name having instances that are the members of the collection. |
MicrosoftECM.Collections.MemberCount | number | The number of collection members. |
MicrosoftECM.Collections.UseCluster | boolean | A comma-separated list of resource IDs, e.g., 0001,0002. |
MicrosoftECM.Collections.CollectionRules | string | Name of the defining membership criteria for the collection. |
#
Command Example!ms-ecm-device-collection-members-add device_resource_ids=16777220 collection_name="my new collection name"
#
Context Example#
Human Readable OutputWARNING: The specified resource ID '16777220' is already existing in rules.
#
ms-ecm-device-collection-includeAdds an include collections membership rule to a device collection.
#
Base Commandms-ecm-device-collection-include
#
InputArgument Name | Description | Required |
---|---|---|
collection_id | The ID of a device collection. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | The name of a device collection. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
include_collection_id | The ID of a device collection to include in the membership rule. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
include_collection_name | The name of a device collection to include in the membership rule. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Collections.Name | string | The collection name. |
MicrosoftECM.Collections.ID | string | Unique auto-generated ID containing eight characters. |
MicrosoftECM.Collections.Type | string | The type of the collection. |
MicrosoftECM.Collections.Comment | string | General comment or note that documents the collection. |
MicrosoftECM.Collections.CurrentStatus | string | Current status of the collection. |
MicrosoftECM.Collections.HasProvisionedMember | boolean | Whether this collection has provisioned members. |
MicrosoftECM.Collections.IncludeExcludeCollectionsCount | number | The number of collections that are included and excluded with this collection. |
MicrosoftECM.Collections.IsBuiltIn | boolean | Whether the collection is built-in. |
MicrosoftECM.Collections.IsReferenceCollection | boolean | Whether the collection is not limited by another collection. |
MicrosoftECM.Collections.LastChangeTime | date | Date and time of when the collection was last modified in any way. |
MicrosoftECM.Collections.LastMemberChangeTime | date | Date and time of when the collection membership was last modified. |
MicrosoftECM.Collections.LastRefreshTime | date | Date and time of when the collection membership was last refreshed. |
MicrosoftECM.Collections.LimitToCollectionID | string | The ID of the collection to limit the query results to. |
MicrosoftECM.Collections.LimitToCollectionName | string | The name of the collection to limit the query results to. |
MicrosoftECM.Collections.LocalMemberCount | number | The number of members visible at the local site. |
MicrosoftECM.Collections.MemberClassName | string | Class name having instances that are the members of the collection. |
MicrosoftECM.Collections.MemberCount | number | The number of collection members. |
MicrosoftECM.Collections.UseCluster | boolean | A comma-separated list of resource IDs, e.g., 0001,0002. |
MicrosoftECM.Collections.CollectionRules | string | Name of the defining membership criteria for the collection. |
#
Command Example#
ms-ecm-device-collection-excludeAdds an exclude membership rule to one or more Configuration Manager device collections.
#
Base Commandms-ecm-device-collection-exclude
#
InputArgument Name | Description | Required |
---|---|---|
collection_id | The ID of a device collection. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | The name of a device collection. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
exclude_collection_id | The ID of a device collection to exclude from the membership rule. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
exclude_collection_name | The name of a device collection to exclude from the membership rule. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Collections.Name | string | The collection name. |
MicrosoftECM.Collections.ID | string | Unique auto-generated ID containing eight characters. |
MicrosoftECM.Collections.Type | string | The type of the collection. |
MicrosoftECM.Collections.Comment | string | General comment or note that documents the collection. |
MicrosoftECM.Collections.CurrentStatus | string | Current status of the collection. |
MicrosoftECM.Collections.HasProvisionedMember | boolean | Whether this collection has provisioned members. |
MicrosoftECM.Collections.IncludeExcludeCollectionsCount | number | The number of collections that are included and excluded with this collection. |
MicrosoftECM.Collections.IsBuiltIn | boolean | Whether the collection is built-in. |
MicrosoftECM.Collections.IsReferenceCollection | boolean | Whether the collection is not limited by another collection. |
MicrosoftECM.Collections.LastChangeTime | date | Date and time of when the collection was last modified in any way. |
MicrosoftECM.Collections.LastMemberChangeTime | date | Date and time of when the collection membership was last modified. |
MicrosoftECM.Collections.LastRefreshTime | date | Date and time of when the collection membership was last refreshed. |
MicrosoftECM.Collections.LimitToCollectionID | string | The ID of the collection to limit the query results to. |
MicrosoftECM.Collections.LimitToCollectionName | string | The name of the collection to limit the query results to. |
MicrosoftECM.Collections.LocalMemberCount | number | The number of members visible at the local site. |
MicrosoftECM.Collections.MemberClassName | string | Class name having instances that are the members of the collection |
MicrosoftECM.Collections.MemberCount | number | The number of collection members. |
MicrosoftECM.Collections.UseCluster | boolean | A comma-separated list of resource IDs, e.g., 0001,0002. |
MicrosoftECM.Collections.CollectionRules | string | Name of the defining membership criteria for the collection. |
#
Command Example!ms-ecm-device-collection-exclude collection_name="my new collection name" exclude_collection_name="Test"
#
Context Example#
Human Readable Output#
Collection List
Name ID Type Comment CurrentStatus CollectionRules HasProvisionedMember IncludeExcludeCollectionsCount IsBuiltIn IsReferenceCollection LastChangeTime LastMemberChangeTime LastRefreshTime LimitToCollectionID LimitToCollectionName LocalMemberCount MemberClassName MemberCount UseCluster my new collection name ISR0001F my collection comment
instance of SMS_CollectionRuleExcludeCollection
{
ExcludeCollectionID = "ISR00014";
RuleName = "Test";
};False 0 False False 2020-11-29T15:09:46Z 2020-11-29T15:09:53Z 2020-11-29T15:09:53Z SMS00001 All Systems 0 SMS_CM_RES_COLL_ISR0001F 0 False
#
ms-ecm-device-collection-members-by-query-addAdds a query membership rule to one or more Configuration Manager device collections.
#
Base Commandms-ecm-device-collection-members-by-query-add
#
InputArgument Name | Description | Required |
---|---|---|
collection_id | The ID of the device collection where the rule is applied. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | The name of the device collection where the rule is applied. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
query_expression | The query expression that Configuration Manager uses. For example "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (ClientType = 1) OR (SMS_R_System.AgentEdition0 = 5)" to update the device collections. | Required |
rule_name | The name for the rule. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Collections.Name | string | The name of the collection. |
MicrosoftECM.Collections.ID | string | Unique auto-generated ID containing eight characters. |
MicrosoftECM.Collections.Type | string | The type of the collection. |
MicrosoftECM.Collections.Comment | string | General comment or note that documents the collection. |
MicrosoftECM.Collections.CurrentStatus | string | Current status of the collection. |
MicrosoftECM.Collections.HasProvisionedMember | boolean | Whether this collection has provisioned members. |
MicrosoftECM.Collections.IncludeExcludeCollectionsCount | number | The number of collections that are included and excluded with this collection. |
MicrosoftECM.Collections.IsBuiltIn | boolean | Whether the collection is built-in. |
MicrosoftECM.Collections.IsReferenceCollection | boolean | Whether the collection is not limited by another collection. |
MicrosoftECM.Collections.LastChangeTime | date | Date and time of when the collection was last modified in any way. |
MicrosoftECM.Collections.LastMemberChangeTime | date | Date and time of when the collection membership was last modified. |
MicrosoftECM.Collections.LastRefreshTime | date | Date and time of when the collection membership was last refreshed. |
MicrosoftECM.Collections.LimitToCollectionID | string | The ID of the collection to limit the query results to. |
MicrosoftECM.Collections.LimitToCollectionName | string | The name of the collection to limit the query results to. |
MicrosoftECM.Collections.LocalMemberCount | number | The number of members visible at the local site. |
MicrosoftECM.Collections.MemberClassName | string | Class name having instances that are the members of the collection |
MicrosoftECM.Collections.MemberCount | number | The number of collection members. |
MicrosoftECM.Collections.UseCluster | boolean | A comma-separated list of resource IDs, e.g., 0001,0002. |
MicrosoftECM.Collections.CollectionRules | string | Name of the defining membership criteria for the collection. |
#
Command Example!ms-ecm-device-collection-members-by-query-add query_expression="select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (ClientType = 1) OR (SMS_R_System.AgentEdition0 = 5)" rule_name="new Rule" collection_name="my new collection name"
#
Context Example#
Human Readable Output#
Collection List
Comment LimitToCollectionID CurrentStatus LastMemberChangeTime Type IncludeExcludeCollectionsCount UseCluster LastChangeTime Name LocalMemberCount HasProvisionedMember LimitToCollectionName MemberClassName IsReferenceCollection CollectionRules ID LastRefreshTime IsBuiltIn MemberCount my collection comment SMS00001 READY 2020-11-09T14:21:06Z Device 1 False 2020-11-19T14:25:59Z my new collection name 2 True All Systems SMS_CM_RES_COLL_ISR00068 False
instance of SMS_CollectionRuleExcludeCollection
{
ExcludeCollectionID = "ISR00020";
RuleName = "Test";
};
,
instance of SMS_CollectionRuleQuery
{
QueryExpression = "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (ClientType = 1) OR (SMS_R_System.AgentEdition0 = 5)";
QueryID = 1;
RuleName = "new Rule";
};
,
instance of SMS_CollectionRuleQuery
{
QueryExpression = "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (ClientType = 1) OR (SMS_R_System.AgentEdition0 = 5)";
QueryID = 2;
RuleName = "new Rule";
};
,
instance of SMS_CollectionRuleQuery
{
QueryExpression = "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (ClientType = 1) OR (SMS_R_System.AgentEdition0 = 5)";
QueryID = 3;
RuleName = "new Rule";
};
,
instance of SMS_CollectionRuleQuery
{
QueryExpression = "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (ClientType = 1) OR (SMS_R_System.AgentEdition0 = 5)";
QueryID = 4;
RuleName = "new Rule";
};
,
instance of SMS_CollectionRuleQuery
{
QueryExpression = "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (ClientType = 1) OR (SMS_R_System.AgentEdition0 = 5)";
QueryID = 5;
RuleName = "new Rule";
};
,
instance of SMS_CollectionRuleDirect
{
ResourceClassName = "SMS_R_System";
ResourceID = 16777220;
RuleName = "EC2AMAZ-2AKQ815";
};
,
instance of SMS_CollectionRuleQuery
{
QueryExpression = "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (ClientType = 1) OR (SMS_R_System.AgentEdition0 = 5)";
RuleName = "new Rule";
};ISR00068 2020-11-19T14:26:13Z False 2
#
ms-ecm-service-startStarts a service on a device or collection. (Implemented by creating and invoking the XSOAR StartService
script.)
#
Base Commandms-ecm-service-start
#
InputArgument Name | Description | Required |
---|---|---|
service_name | The name of the service. | Required |
device_name | The device name to start the service in. (You can retrieve the device name via the !ms-ecm-device-list command.) | Optional |
collection_id | The ID of the collection to start the service in. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | The name of the collection to start the service in. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
poll_results | Whether to poll for the script invocation results. Default is "false". | Optional |
timeout | The timeout in seconds to poll for invocation results. Default is "30". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.ScriptsInvocationResults.OperationId | number | The script invocation operation ID. |
MicrosoftECM.ScriptsInvocationResults.CollectionId | string | The collection ID of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.CollectionName | string | The collection name of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.DeviceName | string | The name of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.ResourceId | number | The resource ID of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.LastUpdateTime | date | The last time the invocation result object was updated. |
MicrosoftECM.ScriptsInvocationResults.ScriptExecutionState | string | The state of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptExitCode | number | The exit code of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptGuid | string | The unique identifier of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptLastModifiedDate | date | The date of the script's last modification. |
MicrosoftECM.ScriptsInvocationResults.ScriptName | string | The name of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutput | string | The output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutputHash | string | The hash of the output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptVersion | number | The version of the script when it was invoked. |
MicrosoftECM.ScriptsInvocationResults.TaskID | string | The unique identifier of the invocation. |
#
Command Example!ms-ecm-service-start service_name=dnscache collection_name="All Systems" poll_results=true timeout=15
#
Context Example#
Human Readable Output#
Script Invocation Results
CollectionName ScriptExitCode OperationId ScriptGuid LastUpdateTime ScriptOutputHash TaskID ScriptVersion ScriptExecutionState ScriptOutput ScriptName ScriptLastModifiedDate DeviceName ResourceId CollectionId All Systems 0 16777874 CB2A5600-95A0-4663-9940-20E97BD26AC8 2020-11-19T14:53:10Z B03DDFEA2112E2743EFF47D0A450E762A864ECD55CF6D01AD6BF1A01E19BC78B {560F73AF-E4BC-447E-9C68-A7962E8E9B6B} 1 Succeeded {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SMS_SITE_VSS_WRITER SMS_SITE_SQL_BACKUP SMS_SITE_COMPONENT_MANAGER SMS_SITE_BACKUP SMS_EXECUTIVE SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SMS_SITE_VSS_WRITER SMS_SITE_SQL_BACKUP SMS_SITE_COMPONENT_MANAGER SMS_SITE_BACKUP SMS_EXECUTIVE SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} XSOAR StartService 2020-11-19T14:52:56Z EC2AMAZ-PHPTDJV 16777221 SMS00001 All Systems 0 16777874 CB2A5600-95A0-4663-9940-20E97BD26AC8 2020-11-19T14:53:10Z 340EEE6517060B2B3A357561E719D9588DB65929CFD6091AF87A20D1AAED2BAF {560F73AF-E4BC-447E-9C68-A7962E8E9B6B} 1 Succeeded {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Dfs Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Dfs Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} XSOAR StartService 2020-11-19T14:52:56Z EC2AMAZ-TB8VCPN 16777222 SMS00001 All Systems 0 16777874 CB2A5600-95A0-4663-9940-20E97BD26AC8 2020-11-19T14:53:10Z BD83747944C526E57E066BD863A2D6BBB4B5E81BFFC7310878F16C1505393E9C {560F73AF-E4BC-447E-9C68-A7962E8E9B6B} 1 Succeeded {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} XSOAR StartService 2020-11-19T14:52:56Z EC2AMAZ-2AKQ815 16777220 SMS00001
#
ms-ecm-service-restartRestarts a service on a device or collection. (Implemented by creating and invoking the XSOAR RestartService
script.)
#
Base Commandms-ecm-service-restart
#
InputArgument Name | Description | Required |
---|---|---|
service_name | The name of the service. | Required |
device_name | The device name to start the service in. (You can retrieve the device name via the !ms-ecm-device-list command.) | Optional |
collection_id | The ID of the collection to start the service in. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | The name of the collection to start the service in. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
poll_results | Whether to poll for the script invocation results. Default is "false". | Optional |
timeout | The timeout in seconds to poll for invocation results. Default is "30". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.ScriptsInvocationResults.OperationId | number | The script invocation operation ID. |
MicrosoftECM.ScriptsInvocationResults.CollectionId | string | The collection ID of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.CollectionName | string | The collection name of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.DeviceName | string | The name of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.ResourceId | number | The resource ID of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.LastUpdateTime | date | The last time the invocation result object was updated. |
MicrosoftECM.ScriptsInvocationResults.ScriptExecutionState | string | The state of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptExitCode | number | The exit code of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptGuid | string | The unique identifier of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptLastModifiedDate | date | The date of the script's last modification. |
MicrosoftECM.ScriptsInvocationResults.ScriptName | string | The name of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutput | string | The output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutputHash | string | The hash of the output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptVersion | number | The version of the script when it was invoked. |
MicrosoftECM.ScriptsInvocationResults.TaskID | string | The unique identifier of the invocation. |
#
Command Example!ms-ecm-service-restart service_name=dnscache collection_name="All Systems" poll_results=true timeout=15
#
Context Example#
Human Readable Output#
Script Invocation Results
CollectionId ResourceId ScriptExitCode DeviceName CollectionName LastUpdateTime ScriptVersion ScriptExecutionState ScriptOutput ScriptGuid ScriptLastModifiedDate ScriptOutputHash ScriptName OperationId TaskID SMS00001 16777221 0 EC2AMAZ-PHPTDJV All Systems 2020-11-19T14:52:35Z 1 Succeeded {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SMS_SITE_VSS_WRITER SMS_SITE_SQL_BACKUP SMS_SITE_COMPONENT_MANAGER SMS_SITE_BACKUP SMS_EXECUTIVE SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SMS_SITE_VSS_WRITER SMS_SITE_SQL_BACKUP SMS_SITE_COMPONENT_MANAGER SMS_SITE_BACKUP SMS_EXECUTIVE SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} 640C640F-7FED-4F80-812E-CF8C0852F2E5 2020-11-19T14:52:22Z B03DDFEA2112E2743EFF47D0A450E762A864ECD55CF6D01AD6BF1A01E19BC78B XSOAR RestartService 16777873 {8E911C86-A0D8-4C29-ACEB-9FB183909128} SMS00001 16777222 0 EC2AMAZ-TB8VCPN All Systems 2020-11-19T14:52:35Z 1 Succeeded {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Dfs Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Dfs Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} 640C640F-7FED-4F80-812E-CF8C0852F2E5 2020-11-19T14:52:22Z 340EEE6517060B2B3A357561E719D9588DB65929CFD6091AF87A20D1AAED2BAF XSOAR RestartService 16777873 {8E911C86-A0D8-4C29-ACEB-9FB183909128} SMS00001 16777220 0 EC2AMAZ-2AKQ815 All Systems 2020-11-19T14:52:35Z 1 Succeeded {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} 640C640F-7FED-4F80-812E-CF8C0852F2E5 2020-11-19T14:52:22Z BD83747944C526E57E066BD863A2D6BBB4B5E81BFFC7310878F16C1505393E9C XSOAR RestartService 16777873 {8E911C86-A0D8-4C29-ACEB-9FB183909128}
#
ms-ecm-service-stopStops a service on a device or collection. (Implemented by creating and invoking the XSOAR StopService
script.)
#
Base Commandms-ecm-service-stop
#
InputArgument Name | Description | Required |
---|---|---|
service_name | The name of the service. | Required |
device_name | The device name to start the service in. (You can retrieve the device name via the !ms-ecm-device-list command.) | Optional |
collection_id | The ID of the collection to start the service in. (You can retrieve the ID via !ms-ecm-collection-list collection_type="Device" .) | Optional |
collection_name | The name of the collection to start the service in. (You can retrieve the name via !ms-ecm-collection-list collection_type="Device" .) | Optional |
poll_results | Whether to poll for the script invocation results. Default is "false". | Optional |
timeout | The timeout in seconds to poll for invocation results. Default is "30". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.ScriptsInvocationResults.OperationId | number | The script invocation operation ID. |
MicrosoftECM.ScriptsInvocationResults.CollectionId | string | The collection ID of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.CollectionName | string | The collection name of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.DeviceName | string | The name of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.ResourceId | number | The resource ID of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.LastUpdateTime | date | The last time the invocation result object was updated. |
MicrosoftECM.ScriptsInvocationResults.ScriptExecutionState | string | The state of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptExitCode | number | The exit code of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptGuid | string | The unique identifier of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptLastModifiedDate | date | The date of the script's last modification. |
MicrosoftECM.ScriptsInvocationResults.ScriptName | string | The name of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutput | string | The output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutputHash | string | The hash of the output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptVersion | number | The version of the script when it was invoked. |
MicrosoftECM.ScriptsInvocationResults.TaskID | string | The unique identifier of the invocation. |
#
Command Example!ms-ecm-service-stop service_name=dnscache collection_name="All Systems" poll_results=true timeout=15
#
Context Example#
Human Readable Output#
Script Invocation Results
CollectionName TaskID ScriptOutput ScriptGuid ScriptExecutionState ScriptLastModifiedDate CollectionId ScriptVersion DeviceName LastUpdateTime ScriptName ResourceId ScriptOutputHash ScriptExitCode OperationId All Systems {B038C34A-678C-49A2-BEEE-7EF2DA67831D} {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SMS_SITE_VSS_WRITER SMS_SITE_SQL_BACKUP SMS_SITE_COMPONENT_MANAGER SMS_SITE_BACKUP SMS_EXECUTIVE SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":1,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SMS_SITE_VSS_WRITER SMS_SITE_SQL_BACKUP SMS_SITE_COMPONENT_MANAGER SMS_SITE_BACKUP SMS_EXECUTIVE SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} F6CD27EC-E932-4981-9CED-ECF78A06651D Succeeded 2020-11-19T14:53:31Z SMS00001 1 EC2AMAZ-PHPTDJV 2020-11-19T14:53:40Z XSOAR StopService 16777221 2586F4DFD8FB133752E3DCC53248A417124F096777FC9EEE327B08DF0DEFD175 0 16777875 All Systems {B038C34A-678C-49A2-BEEE-7EF2DA67831D} {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Dfs Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":1,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Dfs Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} F6CD27EC-E932-4981-9CED-ECF78A06651D Succeeded 2020-11-19T14:53:31Z SMS00001 1 EC2AMAZ-TB8VCPN 2020-11-19T14:53:40Z XSOAR StopService 16777222 D27B022F6B8C8B584A79BB2D471EA173AE45588AAE28225563A38FC93B4EF2C6 0 16777875 All Systems {B038C34A-678C-49A2-BEEE-7EF2DA67831D} {"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"DNS Client","DependentServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":false,"DisplayName":"Network Connectivity Assistant","DependentServices":"","MachineName":".","ServiceName":"NcaSvc","ServicesDependedOn":"NSI dnscache iphlpsvc BFE","ServiceHandle":"SafeServiceHandle","Status":1,"ServiceType":32,"StartType":3,"Site":null,"Container":null}],"MachineName":".","ServiceName":"dnscache","ServicesDependedOn":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}],"ServiceHandle":{"IsInvalid":false,"IsClosed":false},"Status":1,"ServiceType":32,"StartType":2,"Site":null,"Container":null,"Name":"dnscache","RequiredServices":[{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"Network Store Interface Service","DependentServices":"AppVClient netprofm NlaSvc Netman NcaSvc SessionEnv Netlogon Browser LanmanWorkstation iphlpsvc IKEEXT Dnscache WinHttpAutoProxySvc Dhcp","MachineName":".","ServiceName":"nsi","ServicesDependedOn":"rpcss nsiproxy","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":32,"StartType":2,"Site":null,"Container":null},{"CanPauseAndContinue":false,"CanShutdown":false,"CanStop":true,"DisplayName":"NetIO Legacy TDI Support Driver","DependentServices":"NetBT NcaSvc iphlpsvc Dnscache WinHttpAutoProxySvc AppVClient netprofm NlaSvc Dhcp","MachineName":".","ServiceName":"Tdx","ServicesDependedOn":"tcpip","ServiceHandle":"SafeServiceHandle","Status":4,"ServiceType":1,"StartType":1,"Site":null,"Container":null}]} F6CD27EC-E932-4981-9CED-ECF78A06651D Succeeded 2020-11-19T14:53:31Z SMS00001 1 EC2AMAZ-2AKQ815 2020-11-19T14:53:40Z XSOAR StopService 16777220 FC945DDB2710DA5E73E6A8F359EE556A85A59671018831092493AD0EA013DE99 0 16777875
#
ms-ecm-script-invocation-resultsGets a script invocation results.
#
Base Commandms-ecm-script-invocation-results
#
InputArgument Name | Description | Required |
---|---|---|
operation_id | The script invocation operation ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.ScriptsInvocationResults.OperationId | number | The script invocation operation ID. |
MicrosoftECM.ScriptsInvocationResults.CollectionId | string | The collection ID of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.CollectionName | string | The collection name of the device on which the script was invoked. on |
MicrosoftECM.ScriptsInvocationResults.DeviceName | string | The name of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.ResourceId | number | The resource ID of the device on which the script was invoked. |
MicrosoftECM.ScriptsInvocationResults.LastUpdateTime | date | The last time the invocation result object was updated. |
MicrosoftECM.ScriptsInvocationResults.ScriptExecutionState | string | The state of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptExitCode | number | The exit code of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptGuid | string | The unique identifier of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptLastModifiedDate | date | The date of the script's last modification. |
MicrosoftECM.ScriptsInvocationResults.ScriptName | string | The name of the script. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutput | string | The output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptOutputHash | string | The hash of the output of the script invocation. |
MicrosoftECM.ScriptsInvocationResults.ScriptVersion | number | The version of the script when it was invoked. |
MicrosoftECM.ScriptsInvocationResults.TaskID | string | The unique identifier of the invocation. |
#
Command Example!ms-ecm-script-invocation-results operation_id=16777267
#
Context Example#
Human Readable Output#
Script Invocation Results
CollectionName TaskID ScriptOutput ScriptGuid ScriptExecutionState ScriptLastModifiedDate CollectionId ScriptVersion DeviceName LastUpdateTime ScriptName ResourceId ScriptOutputHash ScriptExitCode OperationId All Systems {FC58140A-B688-4D2E-8FEE-F7AED348FABF} 2E0D961D-1C89-477D-B1A7-3FFEDC0AF2FA Failed 2020-09-24T14:36:32Z SMS00001 1 EC2AMAZ-2AKQ815 2020-09-29T10:57:15Z Fail 16777220 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 -2147467259 16777267
#
ms-ecm-device-get-collection-memberGets a Configuration Manager device by querying the SMS_CM_RES_COLL_SMS00001 class. You can use the ms-ecm-device-get-resource
or ms-ecm-device-get-collection-member
commands to change the query class. Depending upon your role-based access in the site, you may need to use one of these other commands.
#
Base Commandms-ecm-device-get-collection-member
#
InputArgument Name | Description | Required |
---|---|---|
device_names | A comma-separated list of device names, i.e., name1,name2,etc. . | Optional |
resource_ids | A comma-separated list of resource IDs, i.e., ID1,ID2,etc. . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Devices.DeviceName | string | The name of the device. |
MicrosoftECM.Devices.CollectionMemberDetails.ClientVersion | string | Version of the installed client software. |
MicrosoftECM.Devices.CollectionMemberDetails.DeviceOS | string | Device operating system. |
MicrosoftECM.Devices.ResourceID | number | Unique Configuration Manager-supplied ID for the resource. |
MicrosoftECM.Devices.CollectionMemberDetails.IsActive | boolean | Whether there has been a recent heartbeat from the client. |
MicrosoftECM.Devices.CollectionMemberDetails.LastActiveTime | date | The last reported time the client was active. Comes from Client Health. |
MicrosoftECM.Devices.CollectionMemberDetails.LastClientCheckTime | date | The last reported health evaluation time. Comes from Client Health. |
MicrosoftECM.Devices.CollectionMemberDetails.LastDDR | date | Last heartbeat timestamp from client DDR discovery. |
MicrosoftECM.Devices.CollectionMemberDetails.LastHardwareScan | date | Timestamp from the last hardware inventory scan. |
MicrosoftECM.Devices.CollectionMemberDetails.LastPolicyRequest | date | Timestamp of the last policy request for this client. |
MicrosoftECM.Devices.CollectionMemberDetails.Domain | string | Domain to which the resource belongs. |
MicrosoftECM.Devices.CollectionMemberDetails.PrimaryUser | string | The primary user of the device. |
MicrosoftECM.Devices.CollectionMemberDetails.Status | string | Current status of the device. |
MicrosoftECM.Devices.CollectionMemberDetails.MACAddress | string | The MAC address of the device. |
MicrosoftECM.Devices.CollectionMemberDetails.IsVirtualMachine | boolean | Whether the client is a virtual machine. |
MicrosoftECM.Devices.CollectionMemberDetails.IsDecommissioned | boolean | Whether the collection member is decommissioned. |
MicrosoftECM.Devices.CollectionMemberDetails.IsClient | boolean | Whether the client is a Configuration Manager client. |
MicrosoftECM.Devices.CollectionMemberDetails.IsBlocked | boolean | Whether the system is blocked. The administrator can manually block/unblock a client in the Admin console UI. By blocking a client, client communication with the server will be cut off. |
MicrosoftECM.Devices.CollectionMemberDetails.ExchangeServer | string | Name of the exchange server for Exchange Active Sync (EAS). |
MicrosoftECM.Devices.CollectionMemberDetails.DeviceThreatLevel | string | The threat level of the device. |
MicrosoftECM.Devices.CollectionMemberDetails.CurrentLogonUser | string | The user who is currently logged in. |
MicrosoftECM.Devices.CollectionMemberDetails.LastLogonUser | string | The last user who logged in to the device. |
MicrosoftECM.Devices.CollectionMemberDetails.DeviceOSBuild | string | The operating system build number of the device. |
MicrosoftECM.Devices.CollectionMemberDetails.ADLastLogonTime | date | Last logon timestamp of the computer (discovered from Active Directory). |
MicrosoftECM.Devices.CollectionMemberDetails.SiteCode | string | Site code of the site that created the collection. |
#
Command Example!ms-ecm-device-get-collection-member device_names=EC2AMAZ-2AKQ815
#
Context Example#
Human Readable Output#
Device As Collection Member
ClientVersion ResourceID IsActive IsBlocked DeviceOSBuild LastHardwareScan SiteCode DeviceName LastPolicyRequest DeviceThreatLevel CurrentLogonUser PrimaryUser ExchangeServer LastClientCheckTime LastDDR IsDecommissioned LastLogonUser Domain Status LastActiveTime IsClient ADLastLogonTime IsVirtualMachine DeviceOS 5.00.8790.1007 16777220 True False 10.0.14393.3025 2020-11-15T11:49:36Z ISR EC2AMAZ-2AKQ815 2020-11-19T13:10:59Z demisto\sccmadmin 2020-11-07T16:42:39Z 2020-11-18T18:30:48Z False DEMISTO 2020-11-19T13:10:59Z True 11/12/2020 6:07:29 AM False Microsoft Windows NT Advanced Server 10.0
#
ms-ecm-device-get-resourceGets a Configuration Manager device by querying the SMS_R_System class. You can use the ms-ecm-device-get-resource
or ms-ecm-device-get-collection-member
commands to change the query class. Depending upon your role-based access in the site, you may need to use one of these other commands.
#
Base Commandms-ecm-device-get-resource
#
InputArgument Name | Description | Required |
---|---|---|
device_names | A comma-separated list of device names, i.e., name1,name2,etc. . | Optional |
resource_ids | A comma-separated list of resource ids, i.e., ID1,ID2,etc. . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.Devices.DeviceName | string | The name of the device. |
MicrosoftECM.Devices.ResourceDetails.AgentName | string | List of the names of discovery agents that found the resource. |
MicrosoftECM.Devices.ResourceID | number | Configuration Manager-supplied ID that uniquely identifies a Configuration Manager client resource. |
MicrosoftECM.Devices.ResourceDetails.ADSiteName | string | The Active Directory site name that is assigned to the client. |
MicrosoftECM.Devices.ResourceDetails.AgentSite | string | List of sites from which the discovery agents run. |
MicrosoftECM.Devices.ResourceDetails.AgentTime | date | List of discovery dates and times. |
MicrosoftECM.Devices.ResourceDetails.CPUType | string | The CPU type, for example, StrongARM. Currently, only device clients report this value. |
MicrosoftECM.Devices.ResourceDetails.DistinguishedName | string | The distinguished name of the account. |
MicrosoftECM.Devices.ResourceDetails.FullDomainName | string | The full name of the device's domain |
MicrosoftECM.Devices.ResourceDetails.IPv4Addresses | string | List of the IPv4 addresses that are associated with the resource. More than one address is listed if the resource has multiple network cards installed. |
MicrosoftECM.Devices.ResourceDetails.IPv6Addresses | string | List of the IPv6 addresses that are associated with the resource. More than one address is listed if the resource has multiple network cards installed. |
MicrosoftECM.Devices.ResourceDetails.NetbiosName | string | Name used by the NetBIOS protocol. |
MicrosoftECM.Devices.ResourceDetails.UserAccountControl | number | User account control value retrieved from Active Directory. |
MicrosoftECM.Devices.ResourceDetails.LastLogonUserName | date | Name of the last logged-on user at the time the discovery agent ran. |
MicrosoftECM.Devices.ResourceDetails.LastLogonUserDomain | string | Domain used by the last logged-on user at the time the discovery agent ran. |
MicrosoftECM.Devices.ResourceDetails.LastLogonTimestamp | date | The date of the last user logon. |
MicrosoftECM.Devices.ResourceDetails.OperatingSystemNameandVersion | string | Free-form string that describes the operating system. |
MicrosoftECM.Devices.ResourceDetails.VirtualMachineHostName | string | Virtual machine hostname. |
MicrosoftECM.Devices.ResourceDetails.VirtualMachineType | string | The type of the virtual machine. |
MicrosoftECM.Devices.ResourceDetails.DNSForestGuid | string | A unique identifier for the DNS forest. |
MicrosoftECM.Devices.ResourceDetails.HardwareID | string | An ID that uniquely describes the hardware on which the client is installed. This ID remains unchanged through re-imaging or through successive installations of the operating system or client. This differs from the Configuration Manager unique ID, which might change under these circumstances. |
#
Command Example!ms-ecm-device-get-resource device_names=EC2AMAZ-2AKQ815
#
Context Example#
Human Readable Output#
Device As Resource
DistinguishedName VirtualMachineHostName AgentTime OperatingSystemNameandVersion IPv4Addresses AgentSite AgentName ADSiteName FullDomainName VirtualMachineType CPUType UserAccountControl NetbiosName LastLogonTimestamp HardwareID DNSForestGuid LastLogonUserName IPv6Addresses DeviceName LastLogonUserDomain ResourceID CN=EC2AMAZ-2AKQ815,CN=Computers,DC=demisto,DC=local ["2020-11-19T00:00:01Z","2019-07-07T10:12:48Z","2020-11-19T14:30:48Z"] Microsoft Windows NT Advanced Server 10.0 "2.2.2.2" ["ISR","ISR","ISR"] ["SMS_AD_SYSTEM_DISCOVERY_AGENT","MP_ClientRegistration","Heartbeat Discovery"] Default-First-Site-Name DEMISTO.LOCAL 0 Intel64 Family 6 Model 85 Stepping 4 4096 EC2AMAZ-2AKQ815 2020-11-12T06:07:29Z 2:387B42C549C5E7D718B68BC65959FA9041F7F2D0 E8AA1F36-33BE-41F2-ADCB-E40376F5B168 "fe80::81c5:1670:9363:a40b" EC2AMAZ-2AKQ815 16777220
#
ms-ecm-get-user-device-affinityGets the relationships between a device and its primary users.
#
Base Commandms-ecm-get-user-device-affinity
#
InputArgument Name | Description | Required |
---|---|---|
user_names | A comma-separated list of usernames with the form of "Domain\username" i.e., "Domain\user1,Domain\user2",etc.". | Optional |
resource_ids | A comma-separated list of device resource ids, i.e., ID1,ID2,etc. . | Optional |
device_names | A comma-separated list of device names, i.e., name1,name2,etc. . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftECM.UserDeviceAffinity.DeviceName | string | The name of the device. |
MicrosoftECM.UserDeviceAffinity.UserName | string | The user name in domain\user format. |
MicrosoftECM.UserDeviceAffinity.ResourceID | number | The resource ID of the device. |
MicrosoftECM.UserDeviceAffinity.IsActive | boolean | Whether the relationship is active. |
MicrosoftECM.UserDeviceAffinity.CreationTime | date | The time when the relationship was created. |
MicrosoftECM.UserDeviceAffinity.RelationshipResourceID | number | The unique identifier for this relationship. |
#
Command Example!ms-ecm-get-user-device-affinity device_names=EC2AMAZ-2AKQ815
#
Context Example#
Human Readable Output#
User Device Affinity
IsActive DeviceName ResourceID CreationTime UserName RelationshipResourceID True EC2AMAZ-2AKQ815 16777220 2020-09-07T14:52:57Z demisto\sccmadmin 25165825 True EC2AMAZ-2AKQ815 16777220 2020-11-05T17:44:33Z demisto\administrator 25165830