Rule for Applocker


first of all: I'm a newby with Elastic. So sorry for this question. But I just can't get any further.

I want to create a rule for MS Applocker.

At Analytics - Discover with filter event.code : 8004 and event.provider = Microsoft-Windows-AppLocker I get all events related to Applocker.

But at Security - Rules I'm not able to create a rule to classify this Events.
I do: Create new rule -> Custom query -> event.code : "8004" (as autocomplete suggested to me) -> quick query preview "Last month" -> preview results. But zero results are shown.

Where is the mistake? I can't find anything.


Doesn't anyone have an idea how this could work?


Found out, that only the graph lies/is waste.
Inspect the result an see the truth!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.