The user-defined rule has a low risk of false positives since it targets specific folders in the system, but we do recommend verifying the events you have with report mode to see what would be blocked and testing the rule in a few systems before deploying to your entire environment in order to avoid any outages due to false positives.
Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.