The incident is appeared but i wonder that which type of file that will be genearted when using observe mode and what is the main purpose of this mode
the main purpose is to check/verify your policies are correct without haveing a effekt on the end user / client, having much support calls etc. But remember to turn it of for production.
One further benefit is that in ePO you can go to the observation events (I think should be the screen you posted), select an event > actions and directly create a whitelist entry (based on hash), updater etc and create a policy (or add to an existing policy).
Check the "What's new?" hyperlink present on Policy Discovery UI page on ePO. (Check the upper-right corner). It will take you to a KB descriibg the principal changes done in v6.1.2 for Observation mode and its working.
Firstly, I think like you said but as you can see when i turn to observe mode my policy is working but the observe generate the event that not even relate with my policy for example i just creat rule for ie binary but when i try to installed chrome the event was generate. In contrast ,i cannot open ie that mean we cannot observe for policy violation that why i ask for this feature purpose
The observe mode will does not function in a way that shows the same event each time it happens. It notes it the first time so that a rule / policy can be made and that's it. When you "Enable" application control then it reports the violation all the time.
In order to see the original event again you would need to clear the events already seen on the end point, change the system to Disabled Mode, reboot, place it into Observe mode and reboot again and then it would capture the event. But to see the event constantly the offending item (.exe; .dll; etc..) needs the end point device to be in an "enabled" state.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA