diff --git a/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml
new file mode 100644
index 000000000..561bf7aec
--- /dev/null
+++ b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml
@@ -0,0 +1,37 @@
+title: File Was Not Allowed To Run 
+id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
+description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
+status: experimental
+tags:
+    - attack.execution
+    - attack.t1204
+    - attack.t1086
+    - attack.t1064
+    - attack.t1035
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
+    - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
+author: Pushkarev Dmitry
+date: 2020/06/28
+logsource:
+    product: windows
+    service: applocker
+detection:
+    selection:
+        EventID:
+          - 8004
+          - 8007
+    condition: selection
+fields:
+    - PolicyName
+    - RuleId
+    - RuleName
+    - TargetUser
+    - TargetProcessId
+    - FilePath
+    - FileHash
+    - Fqbn
+falsepositives:
+    - need tuning applocker or add exceptions in SIEM
+level: medium