Apply suggestions from code review

patriciasantaana · web-flow · commit acdd253c75b7 · 2025-06-05T08:25:52.000-07:00
diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
@@ -39,7 +39,9 @@ Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/
 ## Important remarks
 
 - Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
-- An expression is not an <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip>. The expression is applied to the mitigation and not to the detection. This means that it will take effect only if the attack fingerprint that was generated to mitigate the attack contains a field from the user expression. A common case is to allowlist source IP addresses, but in most cases, the fingerprint does not contain the source IP addresses as DDoS attacks tend to be distributed. 
+Rather than being applied when attacks are detected, the override is applied to the mitigation rule that is created to block malicious packets. This means the override will only take effect if the attack fingerprint generated for mitigation includes the specific fields referenced in your override expression.
+
+You may create an override to allowlist certain source IP addresses. However, since DDoS attacks are typically distributed across many different source IPs, the attack fingerprint may not include source IP addresses as a distinguishing characteristic. In such cases, the override is not be applied.
 <br/>
 
   For example, if you have an expression matching <GlossaryTooltip term="data packet">packets</GlossaryTooltip> with a specific source IP address and the override sets the sensitivity level to low, this override will only lower the sensitivity level for traffic that comes directly from that source IP address. If the DDoS protection system detects an attack coming from many source IP addresses targeted at a single destination IP and port, the generated fingerprint will only match the common criteria of the attack which, in this example, does not include the source IP address. The system will trigger the required mitigation actions at the default high sensitivity level because the traffic did not come from the user-provided source IP address. Therefore, traffic from the source IP in the override expression may still be blocked because the fingerprint only contains the destination IP address and port of the attack.
