Skip to main content

QuickAction - Fetch a File from Device on MS Defender Endpoint - Workflow Template

Fetches a file from a device on MS Defender Endpoint when a quick action button is pressed.

Updated today

The "QuickAction - Fetch a File from Device on MS Defender Endpoint" workflow template provides a streamlined process for security analysts to swiftly retrieve files from a device using Microsoft Defender for Endpoint. Upon triggering a quick action, the workflow fetches the specified file, converts it from Gzip to a password-protected Zip archive with a predefined password, and attaches it to the relevant case. Ideal for case management and enhancing threat hunting and intelligence enrichment, it ensures secure handling and documentation of potentially malicious files within forensic investigations.

Take Me to the Template

Use Cases

Case Management , Threat Hunting , Threat Intelligence Enrichment

Workflow Breakdown

  1. Fetch a File from Device on MS Defender Endpoint

  2. Replace Gzip archive with Password Protected Zip archive using a predefined password

  3. Attach to case

Vendors

Scripting, Utils, HTTP, Microsoft Defender for Endpoint, Torq Cases

Related Articles
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow Template
Initial Microsoft Defender for Endpoint Case Creation - Workflow Template
QuickAction - Isolate or Release a Device on MS Defender Endpoint - Workflow Template
QuickAction - Scan Device on MS Defender for Endpoint - Workflow Template
Poll for New Microsoft Defender for Endpoint Events for Cases - Workflow Template
Did this answer your question?