Get the EVTX file generated during a file’s behavior analysis


Special privileges required

Sandbox analyses feeds endpoints are only available to users with a Sandbox feeds license. Contact us for more information.

Each JSON object contained in the file behaviour feed packages include a link to this API endpoint to download the extracted EVTX from the file's Windows sandbox execution. The available in the feed link already includes the download token required by this endpoint. The following snippet represents the JSON structure in the file behaviour feed that takes to the link:

  "context_attributes": {
    "evtx": "<TOKEN>/evtx"

The link only works during the feed's lifetime. Check /feeds/file_behaviours/{time} for more information.

Click Try It! to start a request and see the response here!