Forum Discussion
Indicator Policy Change with Defender takes more than 2 hours
Hi, We have recently ran into an issue that indicator was created through automation to block a benign URL (Shxt happens) and removal of the IoC did not sync with devices for 6 hours, maybe even ...
Didi00 There may be up to 2 hours of latency between the time a policy is created and the URL or IP being blocked on the device.
Create indicators for IPs and URLs/domains | Microsoft Learn
MDE has a scheduled lifecycle when you change or create any policy and some of the policies requires up to 6-12 hours to affect the targeted devices.
Thanks a lot for your response.
6-12 hours has 6 hours in between which is a huge amount of time when you roll back a change...
l couldnt find anywhere in documentation this being mentioned. Thanks again!
Didi00 i suggest you open a ticket with the security team so they can check the timeline of your tenant lifecycle and you may request if they can decrease the timing of the policy changes effect