Retrieve Files from an Endpoint

This capability is supported on Windows endpoints with Traps 6.1 and later releases.
If during investigation you want to retrieve files from one or more Windows endpoints, you can initiate a file retrieval request from Traps management service.
For each file retrieval request, Traps management service supports up to:
  • 20 files
  • 200MB in total size
  • 10 different endpoints
The request instructs the agent to locate the files on the endpoint and upload them to Traps management service. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Actions Tracker.
You can also retrieve files related to a security event using the Retrieve Files response action.
To retrieve files from one or more endpoints:
  1. From Traps management service, select
    Endpoints
    Endpoints
    .
  2. If needed, filter the list of endpoints.
    To reduce the number of results, use the endpoint name search and filters from the
    Filters
    menu at the top of the page.
  3. Select the endpoints from which you want to retrieve files and then select the retrieve files ( retrieve-files-icon.png ) icon.
  4. Enter the paths for the files you want to retrieve, pressing
    Enter
    after each completed path.
    response-action-retrieve-files.png
    You can also paste a list of paths from a file that contains each path on a new line. To edit a path, double click it.
  5. Select
    Retrieve
    when finished.
    To track the status of a file retrieval action, view the
    Actions Tracker
    . Traps management service retains retrieved files for up to one week.

Related Documentation