Rule for Applocker

Leitner · May 25, 2023, 9:18am

Hi,

first of all: I'm a newby with Elastic. So sorry for this question. But I just can't get any further.

I want to create a rule for MS Applocker.

At Analytics - Discover with filter event.code : 8004 and event.provider = Microsoft-Windows-AppLocker I get all events related to Applocker.

But at Security - Rules I'm not able to create a rule to classify this Events.
I do: Create new rule -> Custom query -> event.code : "8004" (as autocomplete suggested to me) -> quick query preview "Last month" -> preview results. But zero results are shown.

Where is the mistake? I can't find anything.

Patrick

Leitner · June 12, 2023, 1:45pm

Doesn't anyone have an idea how this could work?

Patrick

Leitner · June 21, 2023, 11:31am

Found out, that only the graph lies/is waste.
Inspect the result an see the truth!

system · July 19, 2023, 11:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.