It would be nice if the SIEM not reporting escalation logic could incorporate the EDR component as well. If a host is turned off, we don't need to know that it also isn't sending SIEM logs. Our RMM will alert when servers are down.

Perhaps there should be separate logic if a syslog collector host is down, since that will cause firewall, etc logs to stop being delivered.