Classification

Rule Name

Rule Type

Common Event

Classification

EVID 1040 & 1042 : MsiInstallerBase RuleGeneral Software Installation InformationInformation
EVID 1040 : Installer StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 1042 : Installer ExitedSub RuleProcess/Service StoppedStartup and Shutdown

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MsiInstaller'/><EventID Qualifiers='0'>1042</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-10-28T18:02:59.000000000Z'/><EventRecordID>2793187</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security UserID='_domain\_originUser'/></System><EventData><Data>C:\ProgramData\Package Cache\{2e64fc5c-9286-4a31-916b-0d8ae4b22954}v1.2.1400.39\CylanceProtectSetup_Release_x64.msi</Data><Data>8256</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider nameMsiInstaller<vendorinfo>Text/String
Eventid1042<vmid>Number
LevelInformation<severity>Text/String
Computer_destinationHostname<dname>Text/String
userid_domain<domain>Text/String
N/A_originUser<login>Text/String
N/ACylanceProtectSetup_Release_x64.msi<process>Text/String
N/AC:\ProgramData\Package Cache\{2e64fc5c-9286-4a31-916b-0d8ae4b22954}v1.2.1400.39\CylanceProtectSetup_Release_x64.msi<object>Text/String
N/A8256<processid>Number