Forum Discussion
Recovering Quarantined File without Restoring
micheleariis I can download copies of the quarantined files from the portals, but I am trying to see if there is a way to get a copy of the quarantined files programmatically without restoring the quarantined file back on the machine.
$fileId = "FILE_ID_TO_DOWNLOAD" # The ID of the file associated with the alert
$deviceId = "DEVICE_ID_ASSOCIATED"
$downloadUrl = "https://api.securitycenter.microsoft.com/api/machines/$deviceId/files/$fileId"
$response = Invoke-RestMethod -Method Post -Uri $downloadUrl -Headers $headers
micheleariis Thank you for your response. I'm assuming the "$deviceId" would refer to the "machineId". Regarding the fileId, is that the SHA-1 or the SHA-256 associated with the file? Also do you possibly have a link to somewhere in the Microsoft Defender For Endpoint API, where it has an example of this same HTTP Request that you mentioned. And lastly, for the headers, do I need to have anything other than the bearer token?
zaynhijazi $deviceId refers to the machineId in Microsoft Defender for Endpoint. This ID uniquely identifies the device within your Defender for Endpoint environment.
the fileId generally refers to the SHA-1 hash of the file in Microsoft Defender for Endpoint. When you use the API to download or interact with a file, you usually need to provide the SHA-1 hash.
https://learn.microsoft.com/it-it/defender-endpoint/api/get-alert-related-files-info
No, for most Microsoft Defender for Endpoint API requests, the main header you need is the Bearer Token for authenticationmicheleariis Thanks for the response once again. This gets JSON information related to the file like a SHA1, SHA-256, and other information, but it does not give me the file itself (the file that was downloaded on the pc that triggered the alert). I know that the only way to get a file is to use the LiveResponse Request: https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response. However, Live Response Requests, for some reason, will not give me a copy of a quarantined file, unless I release the file from Quarantine. Is there a way to get a file, that is quarantined, without releasing it from quarantine, using an API from Microsoft?