Skip to main content

Cortex XDR - Retrieve File by sha256

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook is a sub-playbook for the Cortex XDR malware investigation flow. In this playbook, we are retrieving multiple files from the investigated device (using the Device ID incident field), based on their SHA256.


This playbook uses the following sub-playbooks, integrations, and scripts.


Cortex XDR - Get File Path from alerts by hash




  • UnzipFile
  • isError
  • Print



Playbook Inputs#

NameDescriptionDefault ValueRequired
Sha256SHA256 for the file to be retrieved.Optional

Playbook Outputs#

FileRetrieve the file details command results.unknown
File.NameThe full file name (including the file extension).String
File.EntryIDThe ID for locating the file in the War Room.String
File.SizeThe size of the file in bytes.Number
File.MD5The MD5 hash of the file.String
File.SHA1The SHA1 hash of the file.String
File.SHA256The SHA256 hash of the file.String
File.SHA512The SHA512 hash of the file.String
File.ExtensionThe file extension. For example, 'xls'.String
File.TypeThe file type, as determined by libmagic (same as displayed in the file entries).String

Playbook Image#

Cortex XDR - Retrieve File by sha256