This is not new, but I've noticed the dependency of organizations on endpoint data for their threat detection capabilities keeps increasing. Almost all the public content I see from detection engineers is for detection based on endpoint telemetry.

I believe it is an expected behavior. Google Gemini tells me that approximately 70-80% of ATT&CK techniques likely rely heavily on endpoint telemetry for optimal detection.

However, there is always a reaction movement from attackers when a defense mechanism reaches this level of importance. More and more approaches to bypass EDR are coming up (see the latest from Marcus Hutchins), not to mention the fact that 100% coverage of the endpoint base is rarely a reality for most organizations. Asking Gemini again I see an estimate of 50-75% coverage. Even if we take the more optimistic side, one in four endpoints does not have the EDR agent installed. Ugh!

These are some of the reasons why identity focused detection is so important. It reduces the "EDR dependency" of detection teams and improves resilience as it provides detection even when EDR fails. There are also those attacks where the endpoint activity is simply not relevant for detection. For those organizations leveraging modern cloud architectures with serverless characteristics, and for those with high use of SaaS applications, these threat scenarios cannot be ignored.

Check your detection environment for endpoint dependency. A good way to compensate for that dependency is to deploy solutions such as UEBA, which focus on user/identity behavior and can do a great job in detecting threats without relying too much on endpoint telemetry.