LoFP / unlikely, since this event notifies about blocked application deployment. tune your applocker rules to avoid blocking legitimate applications.

Techniques

Sample rules

Deployment AppX Package Was Blocked By AppLocker

• source: sigma
• technicques:

Description

Detects an appx package deployment that was blocked by AppLocker policy.

Detection logic

condition: selection
selection:
  EventID: 412

Deployment Of The AppX Package Was Blocked By The Policy

• source: sigma
• technicques:

Description

Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy:

• Event ID 441: The package deployment operation is blocked by the “Allow deployment operations in special profiles” policy
• Event ID 442: Deployments to non-system volumes are blocked by the “Disable deployment of Windows Store apps to non-system volumes” policy."
• Event ID 453: Package blocked by a platform policy.
• Event ID 454: Package blocked by a platform policy.

Detection logic

condition: selection
selection:
  EventID:
  - 441
  - 442
  - 453
  - 454