first of all: I'm a newby with Elastic. So sorry for this question. But I just can't get any further.
I want to create a rule for MS Applocker.
At Analytics - Discover with filter event.code : 8004 and event.provider = Microsoft-Windows-AppLocker I get all events related to Applocker.
But at Security - Rules I'm not able to create a rule to classify this Events.
I do: Create new rule -> Custom query -> event.code : "8004" (as autocomplete suggested to me) -> quick query preview "Last month" -> preview results. But zero results are shown.
Where is the mistake? I can't find anything.