Example: Sensor-sourced packages
Sensor-sourced packages are designed like parameterized packages, but instead of taking user input as run-time arguments, these packages take sensor output. The command syntax requires a sensor result that is passed from the Interact results grid when the Deploy Action workflow is invoked.
Start Service - || Stopped Service || is a sensor-source package included in the Initial Content pack. You can use it in Interact to find endpoints with stopped services and deploy an action to start the service.
On the Deploy Action workflow page, the Browse Packages list includes sensor-source packages only if the rows selected on the Interact results grid have a value to pass to the package. In the following example, the row showing Windows Defender in the Stopped Service column was selected, so the Start Service - ||Stopped Service|| package appears in the list. If the row showing [no results] were selected, this package would not be available in the list.
Note the targeting criteria includes the name of the stopped service. This value is passed to the package command line.
In the startservice.vbs script, the value passed to strService must be UTF8-decoded, just as if it were a parameterized package that took user input. For information on parameterized packages and UTF8 decoding, see Example: Parameterized packages.
When you configure package settings, in the command text box, specify the name of the sensor. Enclose the name with double vertical bars (||), like ||Stopped Service|| in the following example.
You cannot use a sensor that has an underscore character (_) in the name. The underscore is a delimiter for sensor subcolumns. If the sensor name has an underscore, it causes errors and unexpected results in sensor-sourced packages.
Last updated: 3/19/2018 10:42 AM | Feedback