[BUG] Clarify Endpoint's quarantine encryption scheme and how get-file deals with quarantined files #5157
Description
Documentation links
Description
That page says
Specifically Elastic Defend will remove the file from its current location, encrypt it with the encryption key ELASTIC
Can that please be say something like "Specifically Elastic Defend will remove the file from its current location, do a rolling XOR with the key ELASTIC"
Also the page says
You can access a quarantined file by using the get-file response action command in the response console. To do this, copy the path from the alert’s Quarantined file path field (file.Ext.quarantine_path), which appears under Highlighted fields in the alert details flyout. Then paste the value into the --path parameter. This action doesn’t restore the file to its original location, so you will need to do this manually.
Can we add a note to that to state that when get-file retrieves a file quarantined by Endpoint the ELASTIC XOR is automatically undone; the original malware file is retrieved.
Which documentation set(s) does this bug apply to?
ESS and serverless
Release version
I'm not sure when this documentation was added.
Testing environment
N/A