Hi,
Don't know if this is intended or I am doing something wrong.
I set ADC rule with only 'log' action, set severity to critical and I correctly see all events in Monitors\Logs\ADC Logs.
The thing I don't understand is that I also set a notification condition (breakout) to email me when there's 10 events in 10 minutes on a single computer. And I never receive email about it. The only notification emails I get are about tamper protection and none are about my custom ADC rules.
Settings for notification condition:
Single computer, Application Control events, Damper:none.
I just wonder, maybe custom ADC rules aren't checked by these notifications?
Talking about the rule itself, it's a kind of prevention against encrypter trojans, it triggers if any application modifies xls or doc file. Exceptions include all our official programs, msoffice, archivers, etc.
As I said earlier, ADC rule is working - I see all events in log section, and their number definitely is more than enough for breakout condition I set in notification.