MDE - Retrieve File
This playbook is part of the ‘Malware Investigation And Response’ pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Live Response feature to retrieve a file from an endpoint. The playbook supports a supplied machine id as an input. Otherwise, it will take the Device ID incident field. The playbook supports only one element to be retrieved for each task (if needed more then one - use the playbook loop feature).
Microsoft Defender for Endpoint · 6 tasks · 2 inputs · 2 outputs
Inputs
paths— The file paths to be provided.MachineID— The ID of the machine.
Outputs
ExtractedFiles— A list of file names that were extracted from the ZIP file.MicrosoftATP.LiveResponseAction.status— The machine action status.
Commands used
microsoft-atp-live-response-get-file