Forum Discussion

Dhwani_Shah's avatar
Dhwani_Shah
Copper Contributor
Jun 08, 2026

Ways to fetch quarantine files

We are working with quarantine files and have a few questions: 1. Is there a public API available to retrieve quarantined files from Microsoft Defender for Endpoint? 2. Is there a documented method...
Dhwani_Shah's avatar
Dhwani_Shah
Copper Contributor
Jun 15, 2026

Thanks for the response Lucaraheller​ . We tested the specific points in your reply against our tenant. Sharing the results below.

GET /api/quarantineFiles to list quarantined items -

GET https://api.securitycenter.microsoft.com/api/quarantineFiles
Authorization: Bearer <valid token>

→ HTTP 404 (empty body)

The empty 404 (no JSON error structure) indicates the URL didn't match any registered route - distinct from a 403, which would have come back with a structured error message. Seems like this endpoint does not exist in the MDE public API. Do you have any link for the same?

GET /api/files/{sha1} returns file metadata including whether the file is quarantined -
Tested with the SHA-1 of a known-quarantined EICAR file. Attaching the result -

GET https://api.securitycenter.microsoft.com/api/files/3395856ce81f2b7382dee72602f798b642f14140
Authorization: Bearer <valid token>

→ HTTP 200
{
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"md5": "44d88612fea8a8f36de82e1278abb02f",
"globalPrevalence": 109676,
"globalFirstObserved": "2013-03-03T14:00:34Z",
"globalLastObserved": "2026-06-09T12:59:45Z",
"size": 68,
"fileType": null,
"isPeFile": false,
"filePublisher": null,
"fileProductName": null,
"signer": null,
"issuer": null,
"signerHash": null,
"isValidCertificate": null,
"determinationType": "Malware",
"determinationValue": "Virus:DOS/EICAR_Test_File"
}

No isQuarantined, quarantinePath, remediation, or any machine-scope field appears in the response. The endpoint does not report whether a specific machine has the file in quarantine.

Lucaraheller's avatar
Lucaraheller
MCT
Jun 15, 2026

Hi Dhwani_Shah,

Thank you for validating this directly in your tenant and for sharing the detailed results.

You are correct, and I need to clarify my previous answer.

I reused part of an older response/reference I had from a previous discussion, and in this case it was not aligned with the current public Microsoft Defender for Endpoint API documentation. That caused the confusion around the GET /api/quarantineFiles endpoint.

After reviewing the public documentation again, I could not find a Microsoft-documented public MDE API endpoint for:

GET /api/quarantineFiles

Based on your HTTP 404 test result and the current public API documentation, this endpoint should not be considered available or supported.

The quarantine-related API I was referring to is actually the documented Stop and quarantine file action:

POST /api/machines/{id}/StopAndQuarantineFile

Microsoft documentation:
https://learn.microsoft.com/en-us/defender-endpoint/api/stop-and-quarantine-file

However, this API is a response action against a specific device. It can stop execution of a file and quarantine/delete it, but it does not list existing quarantined files, expose a quarantine storage object, or provide a way to download file content from quarantine.

You are also correct regarding:

GET /api/files/{sha1-or-sha256}

That endpoint returns file profile/reputation metadata by SHA-1 or SHA-256, but it does not provide device-scoped quarantine status such as isQuarantined, quarantinePath, remediation state, or a direct mapping to a quarantine object.

Microsoft documentation:
https://learn.microsoft.com/en-us/defender-endpoint/api/get-file-information

So, to answer your original questions more accurately:

  1. I am not aware of a documented public Microsoft Defender for Endpoint REST API to list or retrieve quarantined file objects.
  2. I am also not aware of a documented method to directly map an alert or SHA-1/SHA-256 hash to the corresponding internal Defender quarantine storage object.
  3. As a possible investigation path, you could try correlating the alert/file hash with Advanced Hunting tables such as DeviceFileEvents, DeviceEvents, alert evidence, and device timeline data, using fields like DeviceId, DeviceName, SHA1, SHA256, FileName, FolderPath, ActionType, and timestamps.

For example, the practical path would be:

  • Start from the alert evidence or known SHA-1/SHA-256.
  • Identify the affected device and timestamp through Advanced Hunting.
  • Review the device timeline around the detection/remediation event.
  • Use Live Response on the affected device if file collection or further validation is required.
  • If applicable, check local Microsoft Defender Antivirus quarantine/restore options on that device.

However, this should be considered event-based correlation and investigation workflow, not a supported lookup of the internal Defender quarantine storage object.

Advanced Hunting schema documentation:
https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tables

DeviceFileEvents table:
https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table

DeviceEvents table:
https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table

  1. For recovery or collection of quarantined content, the supported options appear to remain Live Response, Defender portal capabilities, or local Microsoft Defender Antivirus tooling, depending on permissions and configuration.

Microsoft documentation about restoring quarantined files:
https://learn.microsoft.com/en-us/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus

Apologies for the confusion in my first reply, and thanks again for testing it and pointing it out. Your validation helped correct the answer and make it more accurate.