Skip to main content

CrowdStrike Falcon - Retrieve File

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook retrieves and unzips files from CrowdStrike Falcon and returns a list of the files that were and were not retrieved.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • CrowdStrikeFalcon


  • Set
  • UnzipFile
  • IsIntegrationAvailable


  • cs-falcon-rtr-retrieve-file

Playbook Inputs#

NameDescriptionDefault ValueRequired
HostIdThe ID of the host to use.Optional
PathsToGetThe path to retrieve the file from the host.Optional
ZipPasswordDefault password to unzip files retrieved by CrowdStrike Falcon.infectedOptional
FileNamesThe names of the file to retrieve. This is used to validate that all the intended files were retrieved, not to specify which ones will be retrieved.Optional

Playbook Outputs#

ExtractedFilesA list of file names that were extracted from the ZIP file.string
NonRetrievedFilesA list of files that were not retrieved.string

Playbook Image#

CrowdStrike Falcon - Retrieve File