I suggest you make a query of events like this and see what process is initiating the triggering of this event type. Is it a single process or are there many processes? What is that process? That could be a good starting point to decide whether that process is legitim or not.
(my standpoint regarding notify only and this particular rule is that there is no use to use notify-only rules (other than on testing or investigation purpose) and this particular rule might not need to be enabled at all - Temp folder must be used somehow by programs - except if you undertake the task of putting exclusions to this rule's list thereby separating legitim use from illegitim use.)