Fetch files from hosts

Use the File fetch feature to obtain a copy of the 'suspicious' or 'malicious' file from the host for more analysis. Unlike the File Isolation feature, File fetch only fetches a copy of the file; the file is not isolated from other subsystems on the host, and it still poses a threat to the host and other connected hosts.

Files can be fetched in two ways, depending on the severity of the alert generated for the file.

  • For critical alerts, it is recommended that you first isolate the file on the host and fetch (download) the isolated file locally for more analysis.

  • For moderate alerts, you can fetch the file from the host and save it on the instance and later download the actual file for more analysis. 

For example, fetch a monitored file associated with a Trust-related alert flagged for a 'Low Risk' application, for more analysis.

Before you begin

It is recommended that you know the following before you start using the File fetch feature.

  • Fetch process - File fetch triggers a job schedule for the relevant host. The file is fetched when the host is 'Reachable' with the instance. You can see the statuses of the File fetch schedules on the Files > Fetched files page

  • File size - you can fetch a file of up to 10 MB in size. The fetched files are stored in a Color Tokens-managed secure location in the instance. 

  • Post-fetch operations - you can perform the following operations on fetched files. 

    • Download file - fetched files can be downloaded locally for more analysis.

    • Isolate file - if you find that a fetched file is malicious, you can isolate the file on the host.

  • 'Fetched' file availability - fetched files are available on the instance for more analysis, as per the Data archival settings for the instance. See the Settings > Configurations page for the settings. 

Fetched Files page

All File fetch schedules (without File isolation) triggered in the last 30 days are listed on the Files > Fetched Files page.

Fetch a file from a host

The following steps assume that you are fetching a file associated with an alert. Go to the Files > File Isolation page to fetch isolated files.

  1. Go to Alerts > Detailed Alerts.

  2. Click the 3-dot menu of an alert and click Fetch File from Host.

  3. Click Fetch File from Host.

  4. From the Reason for Fetch drop-down list, select a reason.

  5. Enter the details about why you want to fetch the file.

  6. Click Fetch File from Host.

    For a few seconds, you will see a confirmation message stating that the fetch is scheduled.

  7. Go to Files > Fetched Files page to see the status of the File fetch schedule.

Post-fetch operations

Download fetched files

Store the downloaded 'fetched' files in a secure location to avoid lateral propagation to other connected environments.

  • On the Files > Fetched Files page, click the 3-dot menu of a file and click Download.
Isolate fetched files

During your analysis, if you find that a fetched file is malicious, you can isolate the file and avoid lateral propagation to other connected hosts.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.