What happens to the detections for a host when detections are disabled in the Falcon console?

When detections are disabled in the Falcon console, they are immediately removed from the view in the console. This means that any alerts or detections that were previously logged for that host will no longer be accessible or visible to users managing the console. This feature is often used to streamline the view and focus on current threats, as well as to manage the overall data load within the console.

It is important to note that while the historical data may not be visible or accessible from the console after disabling detections, there may be backend processes that retain some level of information which is not reflected in the user interface. This is designed to help organizations maintain a clear and manageable incident response environment while focusing on active threats.