Collect file from a device. The following permission is required to run this action:
  • Machine.LiveResponse
External DocumentationTo learn more, visit the Microsoft Defender For Endpoints documentation.

Parameters

ParameterDescription
CommentComment to associate with the action.
File PathThe path of the file on the machine.
Machine IDThe ID of the machine. Can be obtained using the List Machines action.

Example Output

{
	"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
	"id": "{machine_action_id}",
	"type": "LiveResponse",
	"requestor": "analyst@microsoft.com",
	"requestorComment": "Testing Live Response API",
	"status": "Pending",
	"machineId": "{machine_id}",
	"computerDnsName": "hostname",
	"creationDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
	"lastUpdateDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
	"errorHResult": 0,
	"commands": [
		{
			"index": 0,
			"startTime": null,
			"endTime": null,
			"commandStatus": "Created",
			"errors": [],
			"command": {
				"type": "RunScript",
				"params": [
					{
						"key": "ScriptName",
						"value": "minidump.ps1"
					},
					{
						"key": "Args",
						"value": "OfficeClickToRun"
					}
				]
			}
		},
		{
			"index": 1,
			"startTime": null,
			"endTime": null,
			"commandStatus": "Created",
			"errors": [],
			"command": {
				"type": "GetFile",
				"params": [
					{
						"key": "Path",
						"value": "C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
					}
				]
			}
		}
	]
}

Workflow Library Example

Get File from Machine with Microsoft Defender for Endpoints and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop