Collect file from a device.

The following permission is required to run this action:

  • Machine.LiveResponse

External Documentation

To learn more, visit the Microsoft Defender For Endpoints documentation.

Parameters

ParameterDescription
CommentComment to associate with the action.
File PathThe path of the file on the machine.
Machine IDThe ID of the machine. Can be obtained using the List Machines action.

Example Output

{
	"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
	"id": "{machine_action_id}",
	"type": "LiveResponse",
	"requestor": "analyst@microsoft.com",
	"requestorComment": "Testing Live Response API",
	"status": "Pending",
	"machineId": "{machine_id}",
	"computerDnsName": "hostname",
	"creationDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
	"lastUpdateDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
	"errorHResult": 0,
	"commands": [
		{
			"index": 0,
			"startTime": null,
			"endTime": null,
			"commandStatus": "Created",
			"errors": [],
			"command": {
				"type": "RunScript",
				"params": [
					{
						"key": "ScriptName",
						"value": "minidump.ps1"
					},
					{
						"key": "Args",
						"value": "OfficeClickToRun"
					}
				]
			}
		},
		{
			"index": 1,
			"startTime": null,
			"endTime": null,
			"commandStatus": "Created",
			"errors": [],
			"command": {
				"type": "GetFile",
				"params": [
					{
						"key": "Path",
						"value": "C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
					}
				]
			}
		}
	]
}

Workflow Library Example

Get File from Machine with Microsoft Defender for Endpoints and Send Results Via Email

Preview this Workflow on desktop