Data Source: Windows Event Log AppXDeployment-Server 855

Date: 2025-08-05

ID: 4491537c-521c-46f7-9209-f56f852aa231

Author: Michael Haag, Splunk

Description

This data source captures Windows Event Logs from the Microsoft-Windows-AppXDeploymentServer/Operational channel, specifically focusing on EventCode 855. These events are generated when a package deployment operation completes successfully, providing details about the packages that were installed or updated.

Event ID 855 is particularly valuable for security monitoring as it confirms the successful installation of MSIX packages, including information about the package identifiers. This can help identify potentially malicious package installations in an environment.

Monitoring these events can help track MSIX package installations across an environment, which is important given that MSIX packages have been leveraged by threat actors such as FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113) for malware delivery.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields

  <span class="pill kill-chain">CategoryString</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Correlation</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">PackageMoniker</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">Provider</span>
  
  <span class="pill kill-chain">ProviderGuid</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">user_id</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXDeployment-Server' Guid='{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}'/><EventID>855</EventID><Version>0</Version><Level>4</Level><Task>4</Task><Opcode>0</Opcode><Keywords>0x4000000000000001</Keywords><TimeCreated SystemTime='2025-08-06T16:20:58.5814488Z'/><EventRecordID>16417</EventRecordID><Correlation ActivityID='{df6fb197-9b7b-0002-d0dd-a29ded06dc01}'/><Execution ProcessID='5820' ThreadID='5960'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>HaagMSIX</Computer><Security UserID='S-1-5-21-2568234075-4274264167-1034506908-500'/></System><EventData><Data Name='PackageMoniker'> addPackageList: Microsoft.DesktopAppInstaller_1.26.430.0_neutral_split.scale-100_8wekyb3d8bbwe Microsoft.DesktopAppInstaller_2025.717.1857.0_neutral_~_8wekyb3d8bbwe updateList: Microsoft.DesktopAppInstaller_1.26.429.0_x64__8wekyb3d8bbwe is updating to Microsoft.DesktopAppInstaller_1.26.430.0_x64__8wekyb3d8bbwe</Data></EventData></Event>

Source: GitHub | Version: 1