[BUG] Clarify Endpoint's quarantine encryption scheme and how get-file deals with quarantined files

[ferullo]

Documentation links

https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html#manage-quarantined-files

Description

That page says

Specifically Elastic Defend will remove the file from its current location, encrypt it with the encryption key ELASTIC

Can that please be say something like "Specifically Elastic Defend will remove the file from its current location, do a rolling XOR with the key ELASTIC"

Also the page says

You can access a quarantined file by using the get-file response action command in the response console. To do this, copy the path from the alert’s Quarantined file path field (file.Ext.quarantine_path), which appears under Highlighted fields in the alert details flyout. Then paste the value into the --path parameter. This action doesn’t restore the file to its original location, so you will need to do this manually.

Can we add a note to that to state that when get-file retrieves a file quarantined by Endpoint the ELASTIC XOR is automatically undone; the original malware file is retrieved.

Which documentation set(s) does this bug apply to?

ESS and serverless

Release version

I'm not sure when this documentation was added.

Testing environment

N/A