@TwoSevenOneT@RossMichaels328@Defte_ correct. technically you could catch it with some advanced logging logic, i.e. host reports back via sccm that cs service is running, but splunk had not seen events from it in last 24h. very few orgs do though.
@TwoSevenOneT@RossMichaels328@Defte_ there are some cloud-derived detections and blocks that CS does somewhat retroactively, and those would not happen once the EDR is blinded. but the core ruleset lives on the endpoint and will block/detect things even without network connectivity.
@RossMichaels328@TwoSevenOneT@Defte_ it works in a sense that blocks and detections aren’t sent up, but the actual actions on the endpoint still take place
@RidgelineCyber@shotgunner101 thanks for your reply. my understanding is that a lot of affected FOIAs dont generate application access logs to begin with, and since CA policy isn't evaluated until session (or conditions) expire, this generates a complete blind spot.