Cortex XDR - Retrieve File Playbook

Retrieve files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. Retrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. Inputs for this playbook are:

  • A comma-separated list of endpoint IDs.
  • A comma-separated list of file paths for your operating system, either Windows, Linux, or Mac. At least one file path is required.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • Cortex XDR - IR

Scripts

  • PrintErrorEntry

Commands

  • xdr-retrieve-files
  • xdr-retrieve-file-details

Playbook Inputs


NameDescriptionDefault ValueRequired
endpoint_idsA comma-separated list of endpoint IDs.Required
windows_file_pathsA comma-separated list of Windows paths. Enter at least one path for either Windows, Linux, or Mac.Optional
linux_file_pathsA comma-separated list of Linux paths. Enter at least one path for either Windows, Linux, or Mac.Optional
mac_file_pathsA comma-separated list of Mac paths. Enter at least one path for either Windows, Linux, or Mac.Optional

Playbook Outputs


PathDescriptionType
FileRetrieves the file details command results.unknown
File.NameThe full file name (including file extension).String
File.EntryIDThe ID for locating the file in the War Room.String
File.SizeThe size of the file in bytes.Number
File.MD5The MD5 hash of the file.String
File.SHA1The SHA1 hash of the file.String
File.SHA256The SHA256 hash of the file.String
File.SHA512The SHA512 hash of the file.String
File.ExtensionThe file extension. For example, 'xls'.String
File.TypeThe file type, as determined by libmagic (same as displayed in file entries).String

Playbook Image


Cortex XDR - Retrieve File Playbook