Skip to main content

CrowdStrike Falcon - Retrieve File

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook retrieves and unzips files from CrowdStrike Falcon and returns a list of the files that were and were not retrieved.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

CrowdStrikeFalcon

Scripts#

  • Set
  • UnzipFile

Commands#

cs-falcon-rtr-retrieve-file

Playbook Inputs#


NameDescriptionDefault ValueRequired
HostIdThe ID of the host to use.Optional
PathsToGetThe paths to retrieve the files from the host.Optional
ZipPasswordThe default password to unzip files retrieved by CrowdStrike Falcon.infectedOptional
FileNamesThe names of the file to retrieve. Used to validate that all the intended files were retrieved, not to specify which ones will be retrieved.Optional

Playbook Outputs#


PathDescriptionType
ExtractedFilesA list of file names that were extracted from the ZIP file.string
NonRetrievedFilesA list of file names that were not retrieved.string

Playbook Image#


CrowdStrike Falcon - Retrieve File