Other versions

Example: Sensor-sourced packages

Sensor-sourced packages are designed like parameterized packages, but instead of taking user input as run-time arguments, these packages take sensor output. The command syntax requires a sensor result that is passed from the Interact results grid when the Deploy Action workflow is invoked.

Start Service - || Stopped Service || is a sensor-source package included in the Initial Content pack. You can use it in Interact to find endpoints with stopped services and deploy an action to start the service.

Figure  1:  Deploy an action with a sensor-sourced package

On the Deploy Action workflow page, the Browse Packages list includes sensor-source packages only if the rows selected on the Interact results grid have a value to pass to the package. In the following example, the row showing Windows Defender in the Stopped Service column was selected, so the Start Service - ||Stopped Service|| package appears in the list. If the row showing [no results] were selected, this package would not be available in the list.

Figure  2:  Browse Packages list

Note the targeting criteria includes the name of the stopped service. This value is passed to the package command line.

Figure  3:  Targeting Criteria

Script

In the startservice.vbs script, the value passed to strService must be UTF8-decoded, just as if it were a parameterized package that took user input. For information on parameterized packages and UTF8 decoding, see Example: Parameterized packages.

Figure  4:  startservice.vbs script

Settings

When you configure package settings, in the command text box, specify the name of the sensor. Enclose the name with double vertical bars (||), like ||Stopped Service|| in the following example.

Figure  5:  Package command with sensor output arguments

You cannot use a sensor that has an underscore character (_) in the name. The underscore is a delimiter for sensor subcolumns. If the sensor name has an underscore, it causes errors and unexpected results in sensor-sourced packages.

Last updated: 9/24/2018 2:13 PM | Feedback