Re: User-defined rule being triggered weeks after it was created
A user doesn't have to log on for their credentials to be used. An intelligent piece of malware can obtain someone's credentials and then use them at its leisure.
Access Protection is going to generate an event when it sees the violation occurring, so you can infer that this User logged in (or something with their credentials did).
The other scenario that comes to mind is if an event was generated long ago (when the User had been logged in) but the event was not uploaded until recently (an agent-to-server communication problem). The date/timestamp on the event itself would tell you if it's recent, or if it's old and only now made its way to the server.
You should not expect ODS running twice daily to know about User defined AP rules. They are completely separate features.
Maybe you were expecting the ODS to find this crypto_notes.txt file? That warrants a lot of follow up questions best left between you and a support person, if it's something you'd like to work through.
William W. Warren | S.I.R.R. | Customer Success Group | McAfee