Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : MsiInstaller MessagesBase RuleGeneral MsiInstaller InformationOperations : Information
EVID 1013 : MsiInstaller InformationSub RuleGeneral MsiInstaller InformationInformation
EVID 1015 : MsiInstaller Service UnavailableSub RuleService UnavailableError

Sample Logs


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MsiInstaller'/><EventID Qualifiers='0'>1029</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-10-28T18:50:58.000000000Z'/><EventRecordID>709684</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security UserID='_originUser\_domainOrigin'/></System><EventData><Data>Cylance PROTECT</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B32453634464335432D393238362D344133312D393136422D3044384145344232323935347D2C2033303130</Binary></EventData></Event>

Mapping with LogRhythm Schema 

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameCylance PROTECT<venderinfo>Text/String
EventID Qualifiers1029<vmid>Number
LevelInformation<severity>Text/String
computer_destinationhostname<dname>Text/String
N/AN/A<session>Number
N/AN/A<processid>Number