CrowdStrike Falcon - Retrieve File

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook retrieves and unzips files from CrowdStrike Falcon and returns a list of the files that were and were not retrieved.

CrowdStrike Falcon · 8 tasks · 4 inputs · 2 outputs

Inputs

  • HostId — The ID of the host to use.
  • PathsToGet — The path to retrieve the file from the host.
  • ZipPassword — Default password to unzip files retrieved by CrowdStrike Falcon.
  • FileNames — The names of the file to retrieve. This is used to validate that all the intended files were retrieved, not to specify which ones will be retrieved.

Outputs

  • ExtractedFiles — A list of file names that were extracted from the ZIP file.
  • NonRetrievedFiles — A list of files that were not retrieved.

Commands used

cs-falcon-rtr-retrieve-file

Flowchart

true yes yes Start Start Retrieve file - cs-falcon-rtr-retrieve-file Retrieve file cs-falcon-rtr-retrieve-file Unzip file - UnzipFile Unzip file UnzipFile Done Done Have all files been retrieved? Have all files been retri... Set files that were not retrieved - Set Set files that were not r... Set Is CrowdStrike Falcon enabled? - IsIntegrationAvailable Is CrowdStrike Falcon ena... IsIntegrationAvailable Are all required inputs provided? Are all required inputs p...