Detections related to a penetration test on a particular server are currently generating thousands of...

The correct action is to temporarily disable detections for the server in Host Management and re-enable them after the penetration test is complete. Falcon’s Disable Detections function is specifically useful for test hosts when administrators want to prevent test detections from cluttering the Endpoint detections console. When detections are disabled, detections for that host are removed from the console immediately, and no new detections from that host display until detections are enabled again. This does not uninstall the sensor, and the sensor continues to operate normally with prevention policies, custom IOA rules, exclusion rules, and other controls still processed. Creating a workflow to email the SOC would increase noise rather than reduce it. Permanently disabling detections creates unnecessary long-term blind spots. Deleting detections and containing the server is also inappropriate because the activity is authorized testing, not necessarily an incident requiring containment. Reference topics: Host Management, Disable Detections, endpoint detection suppression, penetration test handling.