Rule for Applocker

Leitner · May 25, 2023, 9:18am

Hi,

first of all: I'm a newby with Elastic. So sorry for this question. But I just can't get any further.

I want to create a rule for MS Applocker.

At Analytics - Discover with filter event.code : 8004 and event.provider = Microsoft-Windows-AppLocker I get all events related to Applocker.

But at Security - Rules I'm not able to create a rule to classify this Events.
I do: Create new rule -> Custom query -> event.code : "8004" (as autocomplete suggested to me) -> quick query preview "Last month" -> preview results. But zero results are shown.

Where is the mistake? I can't find anything.

Patrick

Leitner · June 12, 2023, 1:45pm

Doesn't anyone have an idea how this could work?

Patrick

Leitner · June 21, 2023, 11:31am

Found out, that only the graph lies/is waste.
Inspect the result an see the truth!

system · July 19, 2023, 11:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with collecting Custom Windows Event Logs with Elastic Agent Logs	1	1476	February 18, 2022
Custom Query detection Rule is not runnig on my elk Elastic Security	3	350	April 6, 2023
Problem with Detections - Custom query rule SIEM	10	678	September 8, 2022
Security events and rules matching SIEM	3	503	August 23, 2022
Microsoft 365 Detection Rule/Machine Learning Rule Elastic Security elastic-stack-machine-learning	3	963	November 4, 2022

Rule for Applocker

Related topics