Update indicator-ip-domain.md

denisebmsft · web-flow · commit 5b361c0d369f · 2024-10-23T14:53:10.000-07:00
diff --git a/defender-endpoint/indicator-ip-domain.md b/defender-endpoint/indicator-ip-domain.md
@@ -105,6 +105,7 @@ For processes other than Microsoft Edge and Internet Explorer, web protection sc
 
 > [!NOTE]
 > Custom Indicators of Compromise and Web Content Filtering features are currently not supported in Application Guard sessions of Microsoft Edge. These containerized browser sessions can only enforce web threat blocks via the built-in SmartScreen protection. They cannot enforce any enterprise web protection policies.
+
 ## Network protection and the TCP three-way handshake
 
 With network protection, the determination of whether to allow or block access to a site is made after the completion of the [three-way handshake via TCP/IP](/troubleshoot/windows-server/networking/three-way-handshake-via-tcpip). Thus, when a site is blocked by network protection, you might see an action type of `ConnectionSuccess` under `NetworkConnectionEvents` in the Microsoft Defender portal, even though the site was blocked. `NetworkConnectionEvents` are reported from the TCP layer, and not from network protection. After the three-way handshake has completed, access to the site is allowed or blocked by network protection.
@@ -144,15 +145,15 @@ In the case where multiple different action types are set on the same indicator
 2. Warn
 3. Block
 
-_Allow_ overrides _warn_ which overrides _block_: Allow > Warn > Block. Therefore, in the above example, `Microsoft.com` would be allowed.
+"Allow" overrides "warn," which overrides "block", as follows: `Allow` > `Warn` > `Block`. Therefore, in the previous example, `Microsoft.com` would be allowed.
 
 ### Defender for Cloud Apps Indicators
 
 If your organization has enabled integration between Defender for Endpoint and Defender for Cloud Apps, block indicators will be created in Defender for Endpoint for all unsanctioned cloud applications. If an application is put in monitor mode, warn indicators (bypassable block) will be created for the URLs associated with the application. Allow indicators cannot be created for sanctioned applications at this time. Indicators created by Defender for Cloud Apps follow the same policy conflict handling described in the previous section.
 
 ## Policy precedence
 
-Microsoft Defender for Endpoint policy has precedence over Microsoft Defender Antivirus policy. In situations when Defender for Endpoint is set to **Allow**, but Microsoft Defender Antivirus is set to **Block**, the policy will default to **Allow**.
+Microsoft Defender for Endpoint policy has precedence over Microsoft Defender Antivirus policy. In situations when Defender for Endpoint is set to `Allow`, but Microsoft Defender Antivirus is set to `Block`, the policy defaults to `Allow`.
 
 ### Precedence for multiple active policies
 
