SentinelOne File Fetch and Forensic File Collection

SCENARIO

During threat investigations, security analysts need to retrieve suspicious files from endpoints for deeper forensic analysis. Traditional methods (RDP/SSH to endpoint, manual file transfer) are time-consuming, disruptive, and may alter file timestamps. Organizations require the ability to remotely fetch files from endpoints without user disruption, preserve forensic integrity, and submit files to sandboxes for automated malware analysis.

Use this guide when you need to:

• Remotely retrieve suspicious files from endpoints for malware analysis
• Fetch files without disrupting users or alerting attackers
• Preserve forensic integrity (file hashes, timestamps, metadata)
• Collect files for sandbox analysis (VirusTotal, Joe Sandbox, Any.run)
• Gather evidence for incident response or legal proceedings
• Retrieve configuration files, scripts, or documents for investigation
• Automate file collection from multiple endpoints simultaneously

Business Impact:

• Faster investigations: Retrieve files in seconds vs. minutes/hours with manual methods
• Non-disruptive: No need to RDP into endpoints or interrupt users
• Forensic integrity: Preserves original file metadata and chain of custody
• Automated analysis: Direct integration with sandbox platforms
• Reduced dwell time: Quickly identify and analyze threats before they spread

SentinelOne File Fetch provides remote file retrieval from endpoints with forensic preservation, sandbox integration, and batch collection capabilities.

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

• SentinelOne Singularity Complete license: File Fetch included with Complete tier
• Minimum agent version: 21.5 or later
• Console access: Analyst or Admin role with File Fetch permissions
• Network connectivity: Endpoint must be online and connected to console

File Fetch Capabilities:

• File size limit: Up to 100 MB per file (configurable)
• Multiple files: Fetch multiple files per endpoint simultaneously
• Batch operations: Fetch same file from multiple endpoints
• Forensic preservation: SHA256 hash, timestamps, metadata preserved
• Sandbox integration: Auto-submit fetched files to VirusTotal, Joe Sandbox

PROCESS

Step 1: Access File Fetch interface

1. Navigate to threat or endpoint:

   • Option A: Console → Threats → [Threat Details] → Actions → Fetch Files
   • Option B: Console → Sentinels → All Endpoints → [Endpoint] → Actions → Fetch Files

2. File Fetch interface displays:

   • Endpoint Name: Target endpoint
   • File Path: Path to file to fetch
   • File Info: Size, hash, last modified
   • Fetch Options: Preserve metadata, submit to sandbox

Step 2: Fetch a single suspicious file

Example: Retrieve suspicious executable from Downloads folder

1. Navigate to Console → Threats → [Threat Alert]

2. Review threat details:

   • File Path: C:\Users\jdoe\Downloads\invoice.exe
   • File Hash (SHA256): abc123def456...
   • Detection: Suspicious behavior, unsigned executable

3. Click Actions → Fetch File

4. Configure fetch options:

   • File Path: C:\Users\jdoe\Downloads\invoice.exe (auto-populated)
   • Preserve Metadata: ✅ Enabled (preserve timestamps)
   • Submit to Sandbox: ✅ VirusTotal (auto-submit for analysis)
   • Password-Protect Archive: ✅ Enabled (protect file with password: infected)

5. Click Fetch File

6. Fetch status:

   • Status: Fetching... (typically 10-60 seconds)
   • Progress: Downloading file from endpoint
   • Completion: File fetched successfully → Download Available

7. Download fetched file:

   • Click Download
   • File downloaded as password-protected ZIP: invoice.exe.zip (password: infected)
   • Stored in Downloads folder

8. Review sandbox results (if enabled):

   • After 2-5 minutes, VirusTotal results appear in threat details
   • Shows detection ratio (e.g., "45/70 vendors detected as malware")

Result: Suspicious file retrieved for offline analysis without disrupting user.

Step 3: Fetch files from multiple endpoints (batch operation)

Example: Retrieve same IOC file from all infected endpoints

1. Navigate to Console → Threats → Filter by specific threat

2. Select multiple endpoints (checkbox each affected endpoint)

3. Click Actions → Fetch Files (Bulk)

4. Configure bulk fetch:

   • File Path: C:\Windows\Temp\malware.exe (same path on all endpoints)
   • Endpoints: 15 selected
   • Submit to Sandbox: ✅ VirusTotal

5. Click Fetch from All Endpoints

6. Batch fetch status:

   • Total Endpoints: 15
   • Successful: 12 fetched
   • Failed: 3 (offline or file not found)

7. Download all files:

   • Click Download All → Downloads ZIP archive containing all fetched files
   • Each file stored in subfolder by endpoint name

Result: Same file collected from multiple endpoints efficiently for comparative analysis.

Step 4: Fetch files using Deep Visibility query

Example: Fetch all executables created in Temp directories in last 24 hours

1. Navigate to Visibility → Deep Visibility

2. Run query to identify suspicious files:

   EventType = "File Creation" AND
   FilePath CONTAINS "\Temp\" AND
   FileExtension = ".exe" AND
   CreatedAt >= "2025-11-25T00:00:00Z"
   

3. Review results (e.g., 20 suspicious files found across 15 endpoints)

4. Bulk fetch files:

   • Select all results
   • Click Actions → Fetch Files
   • SentinelOne automatically fetches files from each endpoint

5. Download and analyze:

   • All files downloaded as password-protected archive
   • Submit to sandbox or analyze offline

Result: Automated file collection based on behavioral detection queries.

Step 5: Submit fetched files to sandbox for automated analysis

Integrated Sandbox Platforms:

• VirusTotal: Quick malware detection (free, rate-limited)
• Joe Sandbox: In-depth behavioral analysis (requires account)
• Any.run: Interactive malware analysis (requires account)
• Cuckoo Sandbox: Self-hosted sandbox (requires configuration)

Auto-Submission Workflow:

1. Enable sandbox integration:

   • Console → Settings → Integrations → Sandbox
   • Add VirusTotal API key, Joe Sandbox credentials, etc.

2. Fetch file with auto-submit enabled:

   • File Fetch → Submit to Sandbox: ✅ VirusTotal

3. Sandbox analysis workflow:

   • File fetched from endpoint → Uploaded to VirusTotal automatically
   • VirusTotal analyzes file (2-5 minutes)
   • Results imported back to SentinelOne threat details

4. Review sandbox results:

   • Console → Threats → [Threat] → Sandbox Analysis Tab
   • Detection Ratio: 58/70 vendors detected as malware
   • Behavior: Process injection, registry modification, C2 callbacks
   • Network IOCs: Contacted IP 198.51.100.75:443
   • MITRE ATT&CK: T1055 (Process Injection), T1071 (Application Layer Protocol)

Result: Automated malware analysis with minimal analyst effort.

Step 6: Preserve forensic integrity and chain of custody

For legal or compliance investigations:

1. Document file fetch:

   • Who fetched the file
   • When fetched (timestamp)
   • Source endpoint
   • Original file path, hash, size, timestamps

2. Verify file integrity:

   # After downloading fetched file, verify hash matches
   Get-FileHash "invoice.exe" -Algorithm SHA256
    
   # Compare with hash shown in SentinelOne console
   # Hashes should match exactly

3. Maintain chain of custody:

   • Store fetched files in secure, access-controlled location
   • Log all file access (who viewed/analyzed file)
   • Use write-once media (CD-ROM, WORM storage) for evidence preservation

4. Generate forensic report:

   • Export threat details to PDF
   • Include: File hash, fetch timestamp, sandbox results, analyst notes
   • Sign and date report for legal proceedings

Result: Forensic integrity maintained for legal admissibility.

Step 7: Automate file fetch using API

<#
.SYNOPSIS
    Fetch file from endpoint using SentinelOne API
#>
 
param(
    [string]$ApiToken,
    [string]$ConsoleUrl,
    [string]$EndpointId,
    [string]$FilePath
)
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
# Initiate file fetch
$body = @{
    data = @{
        filePath = $FilePath
        password = "infected"
    }
} | ConvertTo-Json
 
$fetchRequest = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/agents/$EndpointId/actions/fetch-files" -Headers $headers -Method Post -Body $body
 
Write-Host "File fetch initiated: $($fetchRequest.data.activityId)"
 
# Poll for completion
do {
    Start-Sleep -Seconds 5
    $status = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/activities/$($fetchRequest.data.activityId)" -Headers $headers -Method Get
    Write-Host "Status: $($status.data.status)"
} while ($status.data.status -eq "pending")
 
# Download file
if ($status.data.status -eq "success") {
    $downloadUrl = $status.data.data.downloadUrl
    Invoke-WebRequest -Uri $downloadUrl -Headers $headers -OutFile "fetched-file.zip"
    Write-Host "File downloaded: fetched-file.zip (password: infected)"
}

VERIFICATION

Verify File Fetch is operational:

1. Check license:

   Console → Settings → License → Modules: "File Fetch" = Active
   

2. Test file fetch:

   • Identify a known-safe file on test endpoint (e.g., C:\Windows\System32\notepad.exe)
   • Console → Sentinels → [Test Endpoint] → Actions → Fetch Files
   • File Path: C:\Windows\System32\notepad.exe
   • Click Fetch File
   • Verify file downloads successfully

3. Verify hash integrity:

   # Compare fetched file hash with original
   Get-FileHash "notepad.exe" -Algorithm SHA256
   # Hash should match exactly

TROUBLESHOOTING

Issue: File fetch fails

Solutions:

1. Verify endpoint is online: Console → Sentinels → [Endpoint] → Status = Connected
2. Check file path: Ensure path is correct (case-sensitive on Linux/macOS)
3. Verify file size: Files >100 MB may fail (contact SentinelOne to increase limit)
4. Check permissions: Agent must have read access to file

Issue: File hash mismatch after fetch

Solutions:

1. Re-fetch file: File may have changed during fetch
2. Check for anti-tampering: Some malware detects analysis and modifies itself
3. Verify agent integrity: Ensure agent is not compromised

REFERENCES

• Singularity Complete Features
• SentinelOne ActiveEDR Capabilities

Document Version: 1.0 Last Updated: 2025-11-26 Author: CosmicBytez IT Operations

Related Reading

• Invoke SentinelOne Threat Hunt
• SentinelOne Control vs Complete Feature Comparison
• SentinelOne Deep Visibility Threat Hunting