During an initial side-by-side rollout, the primary objective is to evaluate the Falcon sensor's detection capabilities without causing operational disruption or conflicts with existing security solutions. To achieve this, the sensor should be placed in a "detect-only" mode. Setting the Machine Learning Prevention slider to "Disabled" ensures that Falcon will not block or quarantine any files, thereby preventing any interference. The Detection slider should be enabled (e.g., "Moderate") to generate alerts based on ML analysis. This configuration allows the security team to observe what Falcon would have prevented, assess its efficacy, and tune for false positives before enabling active blocking.

A. Detection slider: Extra Aggressive, Prevention slider: Cautious

This is incorrect because setting Prevention to "Cautious" enables blocking actions, which can interfere with the existing security solution during the testing phase.

C. Detection slider: Cautious, Prevention slider: Cautious

This is incorrect as any Prevention setting other than "Disabled" will cause Falcon to take blocking actions, violating the requirement to not interfere with existing solutions.

D. Detection slider: Disabled, Prevention slider: Disabled

This is incorrect because disabling Detection would prevent the ML engine from generating any alerts, making it impossible to evaluate its effectiveness during the test phase.

---

1. CrowdStrike Falcon Platform Documentation

"Prevention Policy Settings": The official documentation outlines the function of the Machine Learning sliders. It specifies that for initial deployments

Proof of Concepts (POCs)

or when running alongside another antivirus solution

administrators should set the Prevention slider to "Disabled". This creates a "detection-only" policy to monitor detections and tune the configuration before enabling prevention capabilities. The Detection slider is typically set to "Moderate" or "Aggressive" to gather data. (Reference: CrowdStrike Falcon UI > Host setup and management > Prevention policies > Sensor Capabilities > Machine Learning).

2. CrowdStrike Technical Document

"Best Practices for Deploying the CrowdStrike Falcon Platform": This guide details a phased deployment approach. Phase 1

"Monitor Mode

" explicitly recommends creating a new prevention policy with all prevention features

including Machine Learning prevention

set to "Disabled" or "detection-only". This allows the organization to baseline the environment and understand the impact of Falcon detections without affecting end-users or conflicting with other tools. (Reference: CrowdStrike Support Portal

"Best Practices for Deploying the CrowdStrike Falcon Platform

" Document ID: PS.1012

Section: "Phase 1: Monitor Mode

" pp. 5-6).