Forum Discussion
Ways to fetch quarantine files
We are working with quarantine files and have a few questions:
1. Is there a public API available to retrieve quarantined files from Microsoft Defender for Endpoint?
2. Is there a documented method to map an alert or a file SHA-1/SHA-256 hash to the corresponding object in the Defender quarantine store?
3. Is there a way to retrieve quarantined files other than using a PowerShell script through the Live Response API?
4 Replies
The API conclusion holds. There's no public MDE endpoint that lists quarantine or returns the file content. StopAndQuarantineFile only acts on a file, and GET /api/files/{sha} is reputation data with no per-device quarantine state, which lines up with both your 404 and the metadata you got back.
What usually gets skipped here is that you can still get the content out without Live Response PowerShell. The file's profile page in the portal has a "Download file" action that returns a password-protected .zip of the sample. For quarantined files that depends on Settings > Endpoints > Advanced features > "Download quarantined files", which is on by default. Whether the button is actually live comes down to a few preconditions: MDAV in active mode, AV engine 1.1.17300.4 or newer, cloud protection and sample submission both on, and the file-collection RBAC permission. If MDE never stored the file you'll see "Collect file" instead. The sample is collected once per org and stays in your tenant geo. That covers your retrieval question and the alternative-to-PowerShell one.
For mapping a hash to where it landed: nothing in the quarantine store is directly queryable, but the detection event is reliable enough to lean on. Pivot from the SHA through DeviceEvents:
DeviceEvents | where ActionType == "AntivirusDetection" | where SHA1 == "your-sha1" // SHA256 is often empty in this table, SHA1 is the safer key | extend AF = parse_json(AdditionalFields) | project Timestamp, DeviceId, DeviceName, FolderPath, FileName, SHA1, ThreatName = tostring(AF.ThreatName), WasRemediated = tostring(AF.WasRemediated), WasExecutingWhileDetected = tostring(AF.WasExecutingWhileDetected) | order by Timestamp descWasRemediated is what confirms the quarantine actually completed on a given device rather than just firing. If you'd rather see the device spread than read rows, Action center > History lists the "Quarantine file" action with "Apply to X more instances of this file".
When you need the bytes locally, or the same thing across a fleet, MpCmdRun is the tool and the flag people overlook is -Path. MpCmdRun.exe -Restore -Path <dir> writes a copy into a directory and leaves the original in quarantine, so you walk away with the sample but the endpoint stays as it was. Run -Restore -ListAll first to see what's sitting there. Wrap it in Live Response (the run command) once it's more than a single box.
The one real gap is the programmatic side. There's nothing to enumerate or bulk-pull quarantine over an API, so anything automated still ends up going through MpCmdRun under Live Response.
Thanks for the response Lucaraheller . We tested the specific points in your reply against our tenant. Sharing the results below.
GET /api/quarantineFiles to list quarantined items -GET https://api.securitycenter.microsoft.com/api/quarantineFiles
Authorization: Bearer <valid token>
→ HTTP 404 (empty body)The empty 404 (no JSON error structure) indicates the URL didn't match any registered route - distinct from a 403, which would have come back with a structured error message. Seems like this endpoint does not exist in the MDE public API. Do you have any link for the same?
GET /api/files/{sha1} returns file metadata including whether the file is quarantined -
Tested with the SHA-1 of a known-quarantined EICAR file. Attaching the result -GET https://api.securitycenter.microsoft.com/api/files/3395856ce81f2b7382dee72602f798b642f14140
Authorization: Bearer <valid token>
→ HTTP 200
{
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"md5": "44d88612fea8a8f36de82e1278abb02f",
"globalPrevalence": 109676,
"globalFirstObserved": "2013-03-03T14:00:34Z",
"globalLastObserved": "2026-06-09T12:59:45Z",
"size": 68,
"fileType": null,
"isPeFile": false,
"filePublisher": null,
"fileProductName": null,
"signer": null,
"issuer": null,
"signerHash": null,
"isValidCertificate": null,
"determinationType": "Malware",
"determinationValue": "Virus:DOS/EICAR_Test_File"
}No isQuarantined, quarantinePath, remediation, or any machine-scope field appears in the response. The endpoint does not report whether a specific machine has the file in quarantine.
Hi Dhwani_Shah,
Thank you for validating this directly in your tenant and for sharing the detailed results.
You are correct, and I need to clarify my previous answer.
I reused part of an older response/reference I had from a previous discussion, and in this case it was not aligned with the current public Microsoft Defender for Endpoint API documentation. That caused the confusion around the GET /api/quarantineFiles endpoint.
After reviewing the public documentation again, I could not find a Microsoft-documented public MDE API endpoint for:
GET /api/quarantineFiles
Based on your HTTP 404 test result and the current public API documentation, this endpoint should not be considered available or supported.
The quarantine-related API I was referring to is actually the documented Stop and quarantine file action:
POST /api/machines/{id}/StopAndQuarantineFile
Microsoft documentation:
https://learn.microsoft.com/en-us/defender-endpoint/api/stop-and-quarantine-fileHowever, this API is a response action against a specific device. It can stop execution of a file and quarantine/delete it, but it does not list existing quarantined files, expose a quarantine storage object, or provide a way to download file content from quarantine.
You are also correct regarding:
GET /api/files/{sha1-or-sha256}
That endpoint returns file profile/reputation metadata by SHA-1 or SHA-256, but it does not provide device-scoped quarantine status such as isQuarantined, quarantinePath, remediation state, or a direct mapping to a quarantine object.
Microsoft documentation:
https://learn.microsoft.com/en-us/defender-endpoint/api/get-file-informationSo, to answer your original questions more accurately:
- I am not aware of a documented public Microsoft Defender for Endpoint REST API to list or retrieve quarantined file objects.
- I am also not aware of a documented method to directly map an alert or SHA-1/SHA-256 hash to the corresponding internal Defender quarantine storage object.
- As a possible investigation path, you could try correlating the alert/file hash with Advanced Hunting tables such as DeviceFileEvents, DeviceEvents, alert evidence, and device timeline data, using fields like DeviceId, DeviceName, SHA1, SHA256, FileName, FolderPath, ActionType, and timestamps.
For example, the practical path would be:
- Start from the alert evidence or known SHA-1/SHA-256.
- Identify the affected device and timestamp through Advanced Hunting.
- Review the device timeline around the detection/remediation event.
- Use Live Response on the affected device if file collection or further validation is required.
- If applicable, check local Microsoft Defender Antivirus quarantine/restore options on that device.
However, this should be considered event-based correlation and investigation workflow, not a supported lookup of the internal Defender quarantine storage object.
Advanced Hunting schema documentation:
https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tablesDeviceFileEvents table:
https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-tableDeviceEvents table:
https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table- For recovery or collection of quarantined content, the supported options appear to remain Live Response, Defender portal capabilities, or local Microsoft Defender Antivirus tooling, depending on permissions and configuration.
Microsoft documentation about restoring quarantined files:
https://learn.microsoft.com/en-us/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirusApologies for the confusion in my first reply, and thanks again for testing it and pointing it out. Your validation helped correct the answer and make it more accurate.
Hi Dhwani_Shah,
Great questions! Here are the answers for each:
- Public API to retrieve quarantined files: Yes, Microsoft Defender for Endpoint exposes the Quarantine API as part of the Microsoft Defender for Endpoint REST API. You can use the GET /api/quarantineFiles endpoint to list quarantined items. Authentication is done via Azure AD app registration with the appropriate permissions (Ti.ReadWrite or Machine.ReadWrite.All depending on scope). Note that file content retrieval (downloading the actual file) is not available via the public API for security reasons, but metadata retrieval is supported.
2. Mapping a SHA-1/SHA-256 hash to a quarantine object: You can use the Files API endpoint GET /api/files/{sha1} to retrieve file metadata including whether it is quarantined. Alternatively, the Advanced Hunting table DeviceFileEvents with ActionType = 'AntivirusDetection' includes the SHA1 and SHA256 fields which you can correlate with quarantine events.
3. Retrieving quarantined files outside of Live Response PowerShell: The primary supported methods are:
- Live Response (PowerShell or direct file download through the MDE portal under Device page > Actions > Collect investigation package)
- - The MDE Security Portal under Incidents > Evidence where quarantined files sometimes appear
- - Via the Microsoft 365 Defender REST API with appropriate permissions
The direct download/export of quarantine file content via REST API is not officially supported at this time for security reasons. Live Response remains the recommended method for analyst review.
Hope this helps clarify your options!
