Rule for Applocker

Elastic Security
1

Hi,

first of all: I'm a newby with Elastic. So sorry for this question. But I just can't get any further.

I want to create a rule for MS Applocker.

At Analytics - Discover with filter event.code : 8004 and event.provider = Microsoft-Windows-AppLocker I get all events related to Applocker.

But at Security - Rules I'm not able to create a rule to classify this Events.
I do: Create new rule -> Custom query -> event.code : "8004" (as autocomplete suggested to me) -> quick query preview "Last month" -> preview results. But zero results are shown.

Where is the mistake? I can't find anything.

Patrick