...
- Override rule mapping for APT events: Select a value from the drop-down list to override rule mapping for Advanced Persistent Threats. Events that are marked as APT events by FireEye override rules that are set for other event types. The values in the drop-down list are:
- NoOverride – Select this if you want to use the policy from the rule level and do not want to override the rule mapping settings. This value is displayed in the drop-down list, by default.
- Passthru – Select this if you want the user to see the actual response without modification. All the policy actions in an RPZ are replaced with the passthru action.
- Block (No Such Domain) – Select this if you want the user to receive a NXDOMAIN as the DNS response. All the policy actions in an RPZ are replaced with a NXDOMAIN block.
- Block (No Data)–Select – Select this if you want the user to receive a response that indicates that there is no data.
- Override rule mapping for APT events: Select a value from the drop-down list to override rule mapping for Advanced Persistent Threats. Events that are marked as APT events by FireEye override rules that are set for other event types. The values in the drop-down list are:
- Substitute (Domain Name)–Select – Select this if you want to replace all the policy actions in an RPZ with the substitution action that is specified.
- Substituted Domain Name: This appears only when you select Substitute (Domain Name) from the Policy Override list either for APT events or for FireEye alerts. Enter the domain name that you want the client to receive instead of the actual domain name, which is malicious or unauthorized.
...