heroui logo

AppLocker Application Would Have Been Blocked

Sigma Rules

View Source
Summary
This rule detects Windows AppLocker audit logs that indicate an Application, DLL, Script, MSI, or Packaged-App would have been blocked if AppLocker were running in Enforce mode. It monitors AppLocker audit events (Event IDs 8003, 8006, 8021, 8024) emitted to the Windows Application Log. The detection helps validate policy effectiveness and identify potential blocks before switching to Enforce mode, supporting safe policy tuning. The rule is labeled experimental and is intended for use during policy testing, auditing, or audit-mode deployments to surface enforcement gaps without actually blocking execution.
Categories
  • Windows
  • Endpoint
Data Sources
  • Application Log
Created: 2026-03-26