Data Source: Windows Event Log AppXDeployment-Server 854

Date: 2025-08-05

ID: 4d2e6f8a-c9b7-5a3e-8d1f-2e9c7b5a4f3d

Author: Michael Haag, Splunk

Description

This data source captures Windows Event Logs from the Microsoft-Windows-AppXDeploymentServer/Operational channel, specifically focusing on EventCode 854. These events are generated when an MSIX/AppX package has been successfully installed on a system.

Event ID 854 provides information about successful package installations, including the path to the installed package and the user who performed the installation. This data is valuable for security monitoring as it can help identify unauthorized or suspicious package installations.

While most package installations are legitimate, monitoring these events can help identify potentially malicious activity, especially when correlated with other events such as unsigned package installations (EventID 603 with Flags=8388608) or full trust package installations (EventID 400 with HasFullTrust=true).

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields

  <span class="pill kill-chain">CategoryString</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">Path</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">SourceName</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">TaskCategory</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">user_id</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXDeploymentServer' Guid='{8127f6d4-59f9-4abf-8952-3e3a02073d5f}'/><EventID>854</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2025-08-05T12:34:56.7890123Z'/><EventRecordID>123456</EventRecordID><Correlation/><Execution ProcessID='1234' ThreadID='5678'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>DESKTOP-EXAMPLE</Computer><Security UserID='S-1-5-21-1234567890-1234567890-1234567890-1001'/></System><EventData><Data Name='Path'>C:\Users\User\Downloads\App.msix</Data></EventData></Event>

Source: GitHub | Version: 1