Skip to main content

Get File From Machine

Collect file from a device.

The following permission is required to run this action:

  • Machine.LiveResponse
External Documentation

Parameters

ParameterDescription
CommentComment to associate with the action.
File PathThe path of the file on the machine.
Machine IDThe ID of the machine. Can be obtained using the List Machines action.

Example Output

{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
"id": "{machine_action_id}",
"type": "LiveResponse",
"requestor": "analyst@microsoft.com",
"requestorComment": "Testing Live Response API",
"status": "Pending",
"machineId": "{machine_id}",
"computerDnsName": "hostname",
"creationDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
"lastUpdateDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
"errorHResult": 0,
"commands": [
{
"index": 0,
"startTime": null,
"endTime": null,
"commandStatus": "Created",
"errors": [],
"command": {
"type": "RunScript",
"params": [
{
"key": "ScriptName",
"value": "minidump.ps1"
},
{
"key": "Args",
"value": "OfficeClickToRun"
}
]
}
},
{
"index": 1,
"startTime": null,
"endTime": null,
"commandStatus": "Created",
"errors": [],
"command": {
"type": "GetFile",
"params": [
{
"key": "Path",
"value": "C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
}
]
}
}
]
}

Workflow Library Example

Get File from Machine with Microsoft Defender for Endpoints and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop