Download files for in-depth investigation
Published Jul 31 2019 10:45 AM 7,095 Views

Investigating suspicious files can provide valuable clues on a threat activity. Therefore, Microsoft Defender ATP includes a sandbox in each customer tenant, to detonate files in a safe environment and provides a rich and readable report of what the file can do – gain persistence, communicate to IP addresses, change the registry, etc but in some case you want to run such analyses iyour own sandbox or do reverse engineering work, you can now download and inspect any file found on your network.  


Interested in downloading the file that was found in the alert? Saw an interesting file in a machine timeline? Head over to the file page, collect it, and download it for further inspection. 


Download a file found in a machine timeline 

Navigate to a machine in your environment, then click the timeline to review the events seen on the machine. 



Find aevent that contains a file you would like to investigate. 


Tip: You can use the search bar to look for specific files or use the event group filter to scope the search to file events.  


When you see the file you’d like to investigate, head over to the file page by clicking the file link located on the side pane of the interesting event. 


Along the top of the profile page you’ll notice the available actions: 



The machine must be reporting properly to the service so that files can be collectedOnce it was collected, the “Collect file” action will change to Download file to indicate that the file has been collected. 





Provide a reason for auditing purposes for downloading the file and create a passwordBecause the file might be malicious, protecting it with a password will help prevent the file from being inadvertently run.


After downloading the file, you can manually inspect it or use any third-party inspection tools to do further investigative work 

You can use the same process for files found in advanced huntingalerts, or even automated investigations. 


Let us know what you think in the comments below! 

Version history
Last update:
‎Jul 31 2019 12:42 PM
Updated by: