Risks are detected while a Symantec Endpoint Protection (SEP) client is disconnected from the Symantec Endpoint Protection Manager (SEPM). Upon reconnecting the client to the SEPM, the logs for detection or quarantine are not sent to the SEPM

Hybrid SEPM / cloud management

Logs are only sent once and marked as uploaded, whether that is to the SEPM or to the cloud. 

When hybrid-managed clients are disconnected from the SEPM, the events are uploaded to the ICDm (cloud console). Those events are not synched back to the SEPM, by design.