Ways to fetch quarantine files

Hi Dhwani_Shah,

Great questions! Here are the answers for each:

1. Public API to retrieve quarantined files: Yes, Microsoft Defender for Endpoint exposes the Quarantine API as part of the Microsoft Defender for Endpoint REST API. You can use the GET /api/quarantineFiles endpoint to list quarantined items. Authentication is done via Azure AD app registration with the appropriate permissions (Ti.ReadWrite or Machine.ReadWrite.All depending on scope). Note that file content retrieval (downloading the actual file) is not available via the public API for security reasons, but metadata retrieval is supported.

2. Mapping a SHA-1/SHA-256 hash to a quarantine object: You can use the Files API endpoint GET /api/files/{sha1} to retrieve file metadata including whether it is quarantined. Alternatively, the Advanced Hunting table DeviceFileEvents with ActionType = 'AntivirusDetection' includes the SHA1 and SHA256 fields which you can correlate with quarantine events.

3. Retrieving quarantined files outside of Live Response PowerShell: The primary supported methods are:

• Live Response (PowerShell or direct file download through the MDE portal under Device page > Actions > Collect investigation package)
• - The MDE Security Portal under Incidents > Evidence where quarantined files sometimes appear
• - Via the Microsoft 365 Defender REST API with appropriate permissions

The direct download/export of quarantine file content via REST API is not officially supported at this time for security reasons. Live Response remains the recommended method for analyst review.

Hope this helps clarify your options!