Skip to main content

MDE - Retrieve File

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the ‘Malware Investigation And Response’ pack. For more information, refer to This playbook uses the Live Response feature to retrieve a file from an endpoint. The playbook supports a supplied machine id as an input. Otherwise, it will take the Device ID incident field. The playbook supports only one element to be retrieved for each task (if needed more then one - use the playbook loop feature).


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • MicrosoftDefenderAdvancedThreatProtection


  • isError
  • UnzipFile


  • microsoft-atp-live-response-get-file

Playbook Inputs#

NameDescriptionDefault ValueRequired
pathsThe file paths to be provided.Optional
MachineIDThe ID of the machine.Optional

Playbook Outputs#

ExtractedFilesA list of file names that were extracted from the ZIP file.Unknown
MicrosoftATP.LiveResponseAction.statusThe machine action status.unknown

Playbook Image#

MDE - Retrieve File