Skip to main content

Cortex XDR - Retrieve File by sha256

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to The playbook facilitates the process of retrieving files from the investigated devices, unzipping the retrieved files, and loading them into the War Room.

This playbook consists of the following steps:

Initially, the sub-playbook 'Cortex XDR - Get File Path from alerts by hash' examines the SHA256 file hashes and retrieves the file paths associated with each hash. As soon as the SHA256 hashes, file paths, and endpoint IDs are obtained, the playbook attempts to retrieve the files from all the investigated devices. Once the file retrieval automation has been completed successfully, the playbook will unzip the files and load them into the War Room.

Note: When retrieving multiple files, ensure that the SHA256 input is set to run in a loop.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cortex XDR - Get File Path from alerts by hash


  • CortexXDRIR


  • PrintErrorEntry
  • UnzipFile
  • isError


  • xdr-file-retrieve

Playbook Inputs#

NameDescriptionDefault ValueRequired
Sha256SHA256 for the file to be retrieved.Optional

Playbook Outputs#

FileRetrieve the file details command results.unknown
File.NameThe full file name (including the file extension).String
File.EntryIDThe ID for locating the file in the War Room.String
File.SizeThe size of the file in bytes.Number
File.MD5The MD5 hash of the file.String
File.SHA1The SHA1 hash of the file.String
File.SHA256The SHA256 hash of the file.String
File.SHA512The SHA512 hash of the file.String
File.ExtensionThe file extension. For example, 'xls'.String
File.TypeThe file type, as determined by libmagic (same as displayed in the file entries).String

Playbook Image#

Cortex XDR - Retrieve File by sha256