Skip to main content

MDE - Retrieve File

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook uses the Live Response feature to retrieve a file from an endpoint./nNote that the endpoint id will be set from the incident field "Device ID".


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • MicrosoftDefenderAdvancedThreatProtection


  • UnzipFile
  • isError
  • DeleteContext


  • microsoft-atp-live-response-get-file

Playbook Inputs#

NameDescriptionDefault ValueRequired
pathsThe file paths to be provided.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

MDE - Retrieve File