What happens when detections are disabled for a host?

When detections are disabled for a host, the existing detections do not get removed from the Falcon UI. In fact, the detections remain in the system, providing historical data for review. This allows administrators to maintain visibility over past incidents, which can be critical for analyzing patterns or understanding previous threats faced by that host. Disabling detections means real-time threat detection and alerts are paused, but it does not eliminate the past information already captured in the system.

The other options suggest actions or consequences that are not associated with disabling detections. For example, protection continues regardless of the detection setting, and disabling detections does not inherently enhance policy applications or store detections for later review since those functions don't align with the primary action of disabling detections.