content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon demisto

Set Downloaded File Name to Original File Path when using microsoft-atp-live-response-get-file in Microsoft Defender ATP Integration

Open oggolithos opened this issue 7 months ago • 3 comments

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

  • [x] In Progress
  • [ ] Ready
  • [ ] In Hold - (Reason for hold)

Related Issues

fixes: link to the issue

Description

This pull request updates the Microsoft Defender for Endpoint ATP integration to set the name of downloaded files to match the original file path from the endpoint. Special characters in the path are converted as needed to ensure compatibility with file naming conventions.

Key Changes:

  • The downloaded file now uses the original file path as its name, rather than the default "Response Result".
  • Special characters in the file path are sanitized to ensure the filename is valid on all operating systems.

Impact:

  • Improves traceability by making it easier to identify the source and location of the downloaded file.
  • Aligns the XSOAR integration’s behavior more closely with the Defender for Endpoint portal experience.

Must have

  • [ ] Tests
  • [ ] Documentation

oggolithos avatar May 30 '25 07:05 oggolithos

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @ilappe will know the proposed changes are ready to be reviewed. For your convenience, here is a link to the contributions SLAs document.

content-bot avatar May 30 '25 07:05 content-bot

Hi @oggolithos, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.

content-bot avatar May 30 '25 07:05 content-bot

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 30 '25 07:05 CLAassistant

Hello @mmhw. Thank you for your feedback. Did you have time to check my latest commit? I tried to join the DFIR community on Slack but the link I get via email says it has already expired when I receive it. Can you invite me manually from Slack? Thank you.

oggolithos avatar Jun 24 '25 06:06 oggolithos

For the Reviewer: Trigger build request has been accepted for this contribution PR.

content-bot avatar Jun 30 '25 11:06 content-bot

For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/4012209

content-bot avatar Jun 30 '25 11:06 content-bot

Validate summary The following errors were thrown as a part of this pr: DO106, PA101, PA114, RN106. The following errors cannot be ignored: DO106, PA101, PA114, RN106. The following errors don't run as part of the nightly flow and therefore can be force merged: DO106, PA114, RN106.

Verdict: PR can be force merged from validate perspective? ❌

content-bot avatar Jun 30 '25 11:06 content-bot

Hi @oggolithos,

Thank you for your contribution. I have not received a response from you in the last two weeks, so I will close your PR now. Please feel free to re-open it when you are available to continue.

Thanks again.

mmhw avatar Jul 16 '25 08:07 mmhw