splApache-2.0from splunk/security_content
Windows AppX Deployment Package Installation Success
This analytic detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. This event is generated when an MSIX/AppX package has been successfully installed on a system. While most package installations are legitimate, monitoring these events can help identify unauthorized or suspicious package installations, especially when correlated with other events such as unsigned package installations (EventID 603 with Flags=8388608) or full trust package installations (EventID 400 with HasFullTrust=true).
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_appx_deployment_package_installation_success.yml
`wineventlog_appxdeploymentserver` EventCode=854
| stats count min(_time) as firstTime max(_time) as lastTime values(Path) as PackagePath
BY dvc EventCode user_id
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_appx_deployment_package_installation_success_filter`