Skip to main content

Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint

Fetch a file from a device on MS Defender Endpoint when a quick action button is pressed.

Updated over 2 weeks ago

The "QuickAction - Fetch a File from Device on MS Defender Endpoint" workflow template is designed to streamline the process of retrieving suspicious files from endpoints using Microsoft Defender for Endpoint. This workflow is particularly useful for security operations centers (SOCs) engaged in threat hunting and case management. It automates the fetching of files, compresses them into password-protected archives, and attaches them to cases for further analysis, enhancing threat intelligence enrichment and incident response efficiency.

Take Me to the Template

Use Cases

Case Management , Threat Hunting , Threat Intelligence Enrichment

Workflow Breakdown

  1. Fetch a File from Device on MS Defender Endpoint

  2. Replace Gzip archive with Password Protected Zip archive using a predefined password

  3. Attach to case

Vendors

Scripting, Utils, HTTP, Microsoft Defender for Endpoint, Torq Cases

Related Articles
Workflow Template: QuickAction - Isolate or Release a Device on MS Defender Endpoint
Workflow Template: QuickAction - Scan Device on MS Defender for Endpoint
Workflow Template: QuickAction - Run a command on a device with MS Defender Endpoint
Workflow Template: QuickAction - Fetch a File from Device on SentinelOne
Workflow Template: File Prevalence Check on MS Defender for Endpoint
Did this answer your question?