The cloud backend is often where detection correlation happens:
Correlates events across endpoints (e.g., same file hash seen on multiple machines)
Detects coordinated attacks, lateral movement, privilege escalation
Triggers containment actions (e.g., kill process, block IP, isolate host)
Feeds analytics to SIEM/XDR platforms
This architecture allows detection even if the local agent is bypassed—as long as partial telemetry still reaches the cloud.
Last updated 8 months ago