Forum Discussion

Copper Contributor

Oct 31, 2024

Recovering Quarantined File without Restoring

Hello Microsoft Community, I have been exploring the Defender for Endpoint API and noticed that it mentions the ability to fetch copies of files associated with alerts using a LiveResponse reques...

MCT

Nov 04, 2024

zaynhijazi Hi, but can't you do it from the portals?

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/download-quarantined-files-now-generally-available/ba-p/2581160

zaynhijazi
Copper Contributor
Nov 04, 2024
micheleariis I can download copies of the quarantined files from the portals, but I am trying to see if there is a way to get a copy of the quarantined files programmatically without restoring the quarantined file back on the machine.
- micheleariis
  MCT
  Nov 04, 2024
  zaynhijazi
  
  $fileId = "FILE_ID_TO_DOWNLOAD" # The ID of the file associated with the alert
  $deviceId = "DEVICE_ID_ASSOCIATED"
  $downloadUrl = "https://api.securitycenter.microsoft.com/api/machines/$deviceId/files/$fileId"
  $response = Invoke-RestMethod -Method Post -Uri $downloadUrl -Headers $headers
  - zaynhijazi
    Copper Contributor
    Nov 04, 2024
    micheleariis Thank you for your response. I'm assuming the "$deviceId" would refer to the "machineId". Regarding the fileId, is that the SHA-1 or the SHA-256 associated with the file? Also do you possibly have a link to somewhere in the Microsoft Defender For Endpoint API, where it has an example of this same HTTP Request that you mentioned. And lastly, for the headers, do I need to have anything other than the bearer token?

Resources