2 of 2 people found this helpful
the best that I can suggest doing is to report on events where threat type is "access protection" and threat name "Contains: User-defined" (or "User", a string long enough to be non-ambiguous.) Threat name contains the exact AP rule name.
Of course make sure you reproduce an issue that triggers this new rule beforehand ( and wait until it is processed and sent up to ePO.
Thanks Attila, almost nailed it. I can't see a way to display the user defined rules that are in "reporting" mode. If I set a user defined ruleset to "block" then it displays. Any ideas on capturing "report" only? Thanks a lot!