Skip to main content

Microsoft Defender For Endpoint - Collect investigation package

This Playbook is part of the Microsoft Defender for Endpoint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This playbook simplifies retrieving investigation packages to Cortex XSOAR from supported machines (See
The playbook receives information about the target devices (host name, IP, and device ID), validates the devices exist, and retrieves the collection package from those machines into the Cortex XSOAR console.
This action may take time, the average package size is around ~15 MB.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


Microsoft Defender Advanced Threat Protection


This playbook does not use any scripts.


  • endpoint
  • microsoft-atp-request-and-download-investigation-package

Playbook Inputs#

NameDescriptionDefault ValueRequired
AutoCollectinvestigationPackegeChoose True to skip user validation on retrieving the investigation pack within the provided assets.TrueOptional
HostnamesA comma-separated list of host names.Optional
MachineIDsA comma-separated list of machine IDs.Optional
IPsA comma-separated list of machine IPs.Optional

Playbook Outputs#

MicrosoftATP.MachineActionMicrosoft Defender For Endpoint machine action details.unknown

Playbook Image#

Microsoft Defender For Endpoint - Collect investigation package