Custom network indicators setting

Copper Contributor



Does anyone have any detail on what the custom network indicators setting in Advanced features actually does please? The description in the Defender portal indicates it’s needed to allow or block connections to items in custom indicator list. However, the description on Microsoft (here ) says it controls ability to create these indicators. That does not appear to be the case as custom indicators are being added with this off.


Situation I have is that this setting is off but the MSSP has been adding custom indicators associated with threat actor. There are also custom indicators being created from Defender for Cloud Apps unsanctioned apps. 

There are incidents being created for blocks to unsanctioned apps, which indicates that this appears to work even with custom network indicators setting turned off. I need to be sure that the threat actor IP addresses will be blocked, so will recommend that the setting is turned on. But it would be good to have the detail of exactly what this does.

0 Replies