So far we are using this in audit mode. A simple useful search we created was
source=AppLocker index=main EventCode=8003 OR EventCode=8006 | rex field=Message "(?.*)was allowed to run but would have been prevented from running if the AppLocker policy were enforced." | table _time blocked_app User host
This created a table of time, application that would have been blocked, user, and host.