Investigating suspicious files can provide valuable clues on a threat activity. Therefore, Microsoft Defender ATP includes a sandbox in each customer tenant, to detonate files in a safe environment and provides a rich and readable report of what the file can do – gain persistence, communicate to IP addresses, change the registry, etc… but in some case you want to run such analyses in your own sandbox or do reverse engineering work, you can now download and inspect any file found on your network.
Interested in downloading the file that was found in the alert? Saw an interesting file in a machine timeline? Head over to the file page, collect it, and download it for further inspection.
Download a file found in a machine timeline
Navigate to a machine in your environment, then click the timeline to review the events seen on the machine.
Find an event that contains a file you would like to investigate.
Tip: You can use the search bar to look for specific files or use the event group filter to scope the search to file events.
When you see the file you’d like to investigate, head over to the file page by clicking the file link located on the side pane of the interesting event.
Along the top of the profile page you’ll notice the available actions:
The machine must be reporting properly to the service so that files can be collected. Once it was collected, the “Collect file” action will change to “Download file” to indicate that the file has been collected.
Provide a reason for auditing purposes for downloading the file and create a password. Because the file might be malicious, protecting it with a password will help prevent the file from being inadvertently run.
After downloading the file, you can manually inspect it or use any third-party inspection tools to do further investigative work.
You can use the same process for files found in advanced hunting, alerts, or even automated investigations.
Let us know what you think in the comments below!