Skip to main content

Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint

Fetch a file from a device on MS Defender Endpoint when a quick action button is pressed.

Updated today

The "QuickAction - Fetch a File from Device on MS Defender Endpoint" workflow template is designed to streamline case management and enhance threat hunting and intelligence enrichment. It allows SOC analysts to efficiently retrieve suspicious files from endpoints using Microsoft Defender for Endpoint. The workflow automates the process of fetching files, securing them in password-protected archives, and attaching them to cases, ensuring secure handling and documentation of potential threats.

Take Me to the Template

Use Cases

Case Management , Threat Hunting , Threat Intelligence Enrichment

Workflow Breakdown

  1. Fetch a File from Device on MS Defender Endpoint

  2. Replace Gzip archive with Password Protected Zip archive using a predefined password

  3. Attach to case

Vendors

Scripting, Utils, HTTP, Microsoft Defender for Endpoint, Torq Cases

Related Articles
Workflow Template: Download a File from a SentinelOne Endpoint
Workflow Template: QuickAction - Isolate or Release a Device on MS Defender Endpoint
Workflow Template: QuickAction - Scan Device on MS Defender for Endpoint
Workflow Template: Poll for New Microsoft Defender for Endpoint Events for Cases
Workflow Template: QuickAction - Fetch a File from Device on SentinelOne
Did this answer your question?