From the Custom Response page, you can create and manage a custom response configuration. A custom response configuration allows you to direct suspicious traffic to a machine in your network where activity is recorded. Information about the user device that made the request is captured to discover the internal IP addresses of infected machines on the corporate network.
Data collected by a custom response device is not recorded in ETP. Only the information and events gathered from Enterprise Security Connector are available for analysis in ETP.
In a policy, you can select to use a custom response with the block action. This means that blocked traffic is directed to the custom response. If the proxy is not enabled and you are configuring application visibility and control, you can associate a custom response to a block action. For more information, see Application visibility and control.