When the host is offline, the sensor will keep collecting telemetry and store it locally in a "ring buffer" (which limits the total possible size). When the host is back online, the content of this buffer will be flushed to the cloud where detection and response (D&R) rules will apply as usual.

The same ring buffer is used when the sensor runs normally. It holds the full detailed telemetry generated within the sensor, even if it is not sent to the cloud in real-time. The cloud can then retroactively request the full or partial content of the ring buffer.

Did this answer your question?