Get File From Machine
Collect file from a device.
The following permission is required to run this action:
Machine.LiveResponse
External Documentation
To learn more, visit the Microsoft Defender For Endpoints documentation.
Parameters
Parameter | Description |
---|---|
Comment | Comment to associate with the action. |
File Path | The path of the file on the machine. |
Machine ID | The ID of the machine. Can be obtained using the List Machines action. |
Example Output
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
"id": "{machine_action_id}",
"type": "LiveResponse",
"requestor": "analyst@microsoft.com",
"requestorComment": "Testing Live Response API",
"status": "Pending",
"machineId": "{machine_id}",
"computerDnsName": "hostname",
"creationDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
"lastUpdateDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
"errorHResult": 0,
"commands": [
{
"index": 0,
"startTime": null,
"endTime": null,
"commandStatus": "Created",
"errors": [],
"command": {
"type": "RunScript",
"params": [
{
"key": "ScriptName",
"value": "minidump.ps1"
},
{
"key": "Args",
"value": "OfficeClickToRun"
}
]
}
},
{
"index": 1,
"startTime": null,
"endTime": null,
"commandStatus": "Created",
"errors": [],
"command": {
"type": "GetFile",
"params": [
{
"key": "Path",
"value": "C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
}
]
}
}
]
}
Workflow Library Example
Get File from Machine with Microsoft Defender for Endpoints and Send Results Via Email
Preview this Workflow on desktop