I'd consider the following practice useful (although not an easy one): create a query which is in a multiple level table format and filter it according to the desired Access Protection rule. When running the query, you'll have all the processes for which the rule has triggered (and possibly you can see how many times. The number of times is also a suspicion factor depending on the query interval).
Now it needs some human intelligence and investigation, but roughly you could see which processes are most suspicious and which are likely not.
I would consider such suspicious process to be like svchost.exe, lsass.exe, etc., all that are Windows system processes or even other processes that, as shown, reside in a very unusual folder (like Temp folder, user's folder, etc.). Other processes that are seemingly belonging to other well known or unknown applications, might be investigated. Some other applications like management clients might be considered to be excluded from the rule (after testing whether they are really want to terminate).
You did not specify it, but I assume the rule itself notifies and blocks at the same time.
Message was edited by: apoling on 18/04/13 12:25:50 CEST