I am genuinely curious if anyone has worked out any workflows for extracting file content from Defender for Endpoint detections. We have a sandbox that utilizes a Azure logic app to run a live response session and pull the file from quarantine, but I am wondering if it’s worth digging through scripting options in InsightConnect to do the same.
Essentially the idea would be to extract either a quarantined file or pull a target file from an endpoint (this would likely be a powershell?) and obtain the base64 so that the actual content could be submitted for malware analysis, rather than just the hash.
This sounds extensive…but if anyone’s even taken a shot at doing this and made some kind of success I’d love to hear it.