The rule "File Was Not Allowed To Run" aims to detect attempts to execute files that are not permitted under the configured AppLocker policies on Windows systems. AppLocker is essential for managing application whitelisting, particularly in server environments where unprivileged users might have access to run executables. When correctly configured, AppLocker assists in logging events related to unauthorized execution attempts, enabling administrators to mitigate potential security threats by analyzing these logs. The rule functions by monitoring specific Windows Event IDs associated with AppLocker actions: 8004 (file not allowed), 8007 (executable not allowed), 8022 (deny exemptions), and 8025 (script not allowed). It captures relevant fields such as PolicyName, RuleId, RuleName, TargetUser, TargetProcessId, FilePath, FileHash, and Fully Qualified Binary Name (Fqbn) in order to provide detailed context on each event. Implementing this rule might result in false positives, indicating the necessity for AppLocker tuning or adding exceptions in the Security Information and Event Management (SIEM) system. This functionality helps in enhancing the overall security posture by preventing unauthorized software execution while maintaining operational effectiveness in day-to-day tasks.