updates

Author: MHaggis

data_sources/windows_event_log_appxdeployment_server_400.yml

@@ -47,8 +47,23 @@ fields:
 - dest
 - host
 - user_id
+output_fields:
+- _time
+- CallingProcess
+- dest
+- dvc
+- EventCode
+- HasFullTrust
+- host
+- IsCentennial
+- PackageDisplayName
+- PackageFullName
+- PackageSourceUri
+- Path
+- ProcessID
+- user_id
 references:
 - https://learn.microsoft.com/en-us/windows/msix/desktop/desktop-to-uwp-behind-the-scenes
 - https://learn.microsoft.com/en-us/windows/msix/package/package-identity
 - https://redcanary.com/blog/threat-intelligence/msix-installers/
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXDeployment-Server' Guid='{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}'/><EventID>400</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>2</Opcode><Keywords>0x4000000000000001</Keywords><TimeCreated SystemTime='2025-08-06T16:21:23.2487289Z'/><EventRecordID>16489</EventRecordID><Correlation ActivityID='{df6fb197-9b7b-0003-0230-a39ded06dc01}'/><Execution ProcessID='5820' ThreadID='5960'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>HaagMSIX</Computer><Security UserID='S-1-5-21-2568234075-4274264167-1034506908-500'/></System><EventData><Data Name='DeploymentOperation'>6</Data><Data Name='PackageFullName'>Microsoft.DesktopAppInstaller_2025.717.1857.0_neutral_~_8wekyb3d8bbwe</Data><Data Name='Path'> (AppxBundleManifest.xml) </Data><Data Name='MountPoint'>C:</Data><Data Name='TargetPlatform'>0x0</Data><Data Name='SystemVolume'>true</Data><Data Name='StorageId'>\\?\Volume{de26f417-916d-40a6-aaa9-9675b36f2d21}</Data><Data Name='IsCentennial'>false</Data><Data Name='PackageType'>0x8</Data><Data Name='IsPackageEncrypted'>false</Data><Data Name='DeploymentOptions'>0x40040040</Data><Data Name='IsStreamingPackage'>false</Data><Data Name='IsInRelatedSet'>false</Data><Data Name='IsPackageUsingBDC'>false</Data><Data Name='MainPackageFamilyName'>NULL</Data><Data Name='CallingProcess'>sihost.exe</Data><Data Name='IsOptional'>false</Data><Data Name='PackageFlags'>0x400</Data><Data Name='PackageFlags2'>0x800</Data><Data Name='HasWin32alacarte'>false</Data><Data Name='HasFullTrust'>false</Data><Data Name='ExternalLocation'></Data><Data Name='PackageSourceUri'>x-windowsupdate://05C4B27B-6E00-4A05-9B94-15C77E54E690/F855810C-9F77-45FF-A0F5-CD0FEAA945C6/508bfda4dcfb262c40e6f5d8e8811b3f47ee98a2</Data><Data Name='PackageDisplayName'> </Data></EventData></Event>
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXDeployment-Server' Guid='{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}'/><EventID>400</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>2</Opcode><Keywords>0x4000000000000001</Keywords><TimeCreated SystemTime='2025-08-06T16:21:23.2487289Z'/><EventRecordID>16489</EventRecordID><Correlation ActivityID='{df6fb197-9b7b-0003-0230-a39ded06dc01}'/><Execution ProcessID='5820' ThreadID='5960'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>HaagMSIX</Computer><Security UserID='S-1-5-21-2568234075-4274264167-1034506908-500'/></System><EventData><Data Name='DeploymentOperation'>6</Data><Data Name='PackageFullName'>Microsoft.DesktopAppInstaller_2025.717.1857.0_neutral_~_8wekyb3d8bbwe</Data><Data Name='Path'> (AppxBundleManifest.xml) </Data><Data Name='MountPoint'>C:</Data><Data Name='TargetPlatform'>0x0</Data><Data Name='SystemVolume'>true</Data><Data Name='StorageId'>\\?\Volume{de26f417-916d-40a6-aaa9-9675b36f2d21}</Data><Data Name='IsCentennial'>false</Data><Data Name='PackageType'>0x8</Data><Data Name='IsPackageEncrypted'>false</Data><Data Name='DeploymentOptions'>0x40040040</Data><Data Name='IsStreamingPackage'>false</Data><Data Name='IsInRelatedSet'>false</Data><Data Name='IsPackageUsingBDC'>false</Data><Data Name='MainPackageFamilyName'>NULL</Data><Data Name='CallingProcess'>sihost.exe</Data><Data Name='IsOptional'>false</Data><Data Name='PackageFlags'>0x400</Data><Data Name='PackageFlags2'>0x800</Data><Data Name='HasWin32alacarte'>false</Data><Data Name='HasFullTrust'>false</Data><Data Name='ExternalLocation'></Data><Data Name='PackageSourceUri'>x-windowsupdate://05C4B27B-6E00-4A05-9B94-15C77E54E690/F855810C-9F77-45FF-A0F5-CD0FEAA945C6/508bfda4dcfb262c40e6f5d8e8811b3f47ee98a2</Data><Data Name='PackageDisplayName'> </Data></EventData></Event>

detections/endpoint/windows_appx_deployment_full_trust_package_installation.yml

@@ -9,7 +9,7 @@ description: The following analytic detects the installation of MSIX/AppX packag
 data_source:
 - Windows Event Log AppXDeployment-Server 400
 search: '`wineventlog_appxdeploymentserver` EventCode=400 HasFullTrust="true"
-  | stats count min(_time) as firstTime max(_time) as lastTime values(PackageFullName) as PackageFullName values(Path) as PackagePath values(PackageSourceUri) as PackageSourceUri values(PackageDisplayName) as PackageDisplayName values(CallingProcess) as CallingProcess values(IsCentennial) as IsCentennial by host EventCode HasFullTrust user_id
+  | stats count min(_time) as firstTime max(_time) as lastTime values(PackageFullName) as PackageFullName values(Path) as PackagePath values(PackageSourceUri) as PackageSourceUri values(PackageDisplayName) as PackageDisplayName values(CallingProcess) as CallingProcess values(IsCentennial) as IsCentennial by dvc EventCode HasFullTrust user_id | rename dvc as dest
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
   | `windows_appx_deployment_full_trust_package_installation_filter`'
@@ -22,21 +22,21 @@ references:
 - https://learn.microsoft.com/en-us/windows/msix/package/package-identity
 - https://attack.mitre.org/techniques/T1553/005/
 drilldown_searches:
-- name: View the detection results for - "$host$"
-  search: '%original_detection_search% | search host = "$host$"'
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$host$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$")
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
     starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
     values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
     as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
     as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: Look for related PowerShell activity from the same host
-  search: '`powershell` EventCode=4104 host="$host$" | stats count by ScriptBlockText'
+- name: Look for related PowerShell activity from the same dest
+  search: '`powershell` EventCode=4104 dest="$dest$" | stats count by ScriptBlockText'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 tags:

detections/endpoint/windows_appx_deployment_package_installation_success.yml

@@ -9,7 +9,7 @@ description: This analytic detects successful MSIX/AppX package installations on
 data_source:
 - Windows Event Log AppXDeployment-Server 854
 search: '`wineventlog_appxdeploymentserver` EventCode=854
-  | stats count min(_time) as firstTime max(_time) as lastTime values(Path) as PackagePath by host EventCode user_id
+  | stats count min(_time) as firstTime max(_time) as lastTime values(Path) as PackagePath by dvc EventCode user_id | rename dvc as dest
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
   | `windows_appx_deployment_package_installation_success_filter`'
@@ -20,22 +20,22 @@ references:
 - https://www.appdeploynews.com/packaging-types/msix/troubleshooting-an-msix-package/
 - https://www.advancedinstaller.com/msix-installation-or-launching-errors-and-fixes.html
 drilldown_searches:
-- name: View the detection results for - "$host$"
-  search: '%original_detection_search% | search host = "$host$"'
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View related unsigned package installations for - "$host$"
-  search: 'source="XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational" EventCode=603 Flags="8388608" host="$host$"'
+- name: View related unsigned package installations for - "$dest$"
+  search: 'source="XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational" EventCode=603 Flags="8388608" host="$dest$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View related full trust package installations for - "$host$"
-  search: 'source="XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational" EventCode=400 HasFullTrust="true" host="$host$"'
+- name: View related full trust package installations for - "$dest$"
+  search: 'source="XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational" EventCode=400 HasFullTrust="true" host="$dest$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A MSIX/AppX package $PackagePath$ was successfully installed on $host$ by user $user_id$.
+  message: A MSIX/AppX package $PackagePath$ was successfully installed on $dest$ by user $user_id$.
   risk_objects:
-  - field: host
+  - field: dest
     type: system
     score: 10
   threat_objects:

detections/endpoint/windows_appx_deployment_unsigned_package_installation.yml

@@ -9,7 +9,7 @@ description: The following analytic detects attempts to install unsigned MSIX/Ap
 data_source:
 - Windows Event Log AppXDeployment-Server 855
 search: '`wineventlog_appxdeploymentserver` EventCode=603 Flags="8388608"
-  | stats count min(_time) as firstTime max(_time) as lastTime values(Path) as Path values(CallingProcess) as CallingProcess by host EventCode Flags user_id
+  | stats count min(_time) as firstTime max(_time) as lastTime values(Path) as file_name values(CallingProcess) as CallingProcess by dvc EventCode Flags user_id | rename dvc as dest
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
   | `windows_appx_deployment_unsigned_package_installation_filter`'
@@ -21,31 +21,31 @@ references:
 - https://redcanary.com/blog/threat-intelligence/msix-installers/
 - https://attack.mitre.org/techniques/T1553/005/
 drilldown_searches:
-- name: View the detection results for - "$host$"
-  search: '%original_detection_search% | search host = "$host$"'
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$host$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$")
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
     starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
     values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
     as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
     as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: Look for related PowerShell activity from the same host
-  search: '`powershell` EventCode=4104 host="$host$" ScriptBlockText="*Add-AppxPackage*" OR ScriptBlockText="*Add-AppPackage*" | stats count by ScriptBlockText'
+- name: Look for related PowerShell activity from the same dest
+  search: '`powershell` EventCode=4104 dest="$dest$" ScriptBlockText="*Add-AppxPackage*" OR ScriptBlockText="*Add-AppPackage*" | stats count by ScriptBlockText'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Unsigned MSIX/AppX package $Path$ installation attempted on $host$ by user $user_id$ using $CallingProcess$
+  message: Unsigned MSIX/AppX package $Path$ installation attempted on $dest$ by user $user_id$ using $CallingProcess$
   risk_objects:
-  - field: host
+  - field: dest
     type: system
     score: 65
   threat_objects:
-  - field: Path
+  - field: file_name
     type: file_name
 tags:
   analytic_story:

detections/endpoint/developer_signed_msix_package_installation.yml renamed to detections/endpoint/windows_developer_signed_msix_package_installation.yml

@@ -1,4 +1,4 @@
-name: Developer-Signed MSIX Package Installation
+name: Windows Developer-Signed MSIX Package Installation
 id: 2c0427aa-982c-4e97-bc33-bddeda4fd095
 version: 1
 date: '2025-08-05'
@@ -10,10 +10,10 @@ data_source:
 - Windows Event Log AppXDeployment-Server 855
 search: '`wineventlog_appxdeploymentserver` EventCode=855 
   NOT PackageMoniker IN ("*8wekyb3d8bbwe*","*cw5n1h2txyewy*")
-  | stats count min(_time) as firstTime max(_time) as lastTime values(PackageMoniker) as PackageMoniker by host EventCode user_id
+  | stats count min(_time) as firstTime max(_time) as lastTime values(PackageMoniker) as PackageMoniker by dvc EventCode user_id | rename dvc as dest
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | `developer_signed_msix_package_installation_filter`'
+  | `windows_developer_signed_msix_package_installation_filter`'
 how_to_implement: To implement this detection, you need to be collecting Windows Event logs from the Microsoft-Windows-AppXDeploymentServer/Operational channel. In Splunk, this typically requires the Windows TA and configuration to collect from this specific channel. Ensure your Windows event collection is properly configured to capture EventCode 855 from the Microsoft-Windows-AppXDeploymentServer/Operational log.
 known_false_positives: Legitimate developer-signed applications that are not from the Microsoft Store will trigger this detection. Organizations should maintain a baseline of expected developer-signed applications in their environment and tune the detection accordingly. Common legitimate developer-signed applications include in-house developed applications and some third-party applications that are not distributed through the Microsoft Store.
 references:
@@ -22,12 +22,12 @@ references:
 - https://www.advancedinstaller.com/msix-installation-or-launching-errors-and-fixes.html
 - https://redcanary.com/blog/threat-detection/code-signing-certificates/
 drilldown_searches:
-- name: View the detection results for - "$host$"
-  search: '%original_detection_search% | search host = "$host$"'
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$host$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$")
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
     starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
     values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
     as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
@@ -36,9 +36,9 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A developer-signed MSIX package "$PackageMoniker$" was installed on $host$ by user $user_id$.
+  message: A developer-signed MSIX package "$PackageMoniker$" was installed on $dest$ by user $user_id$.
   risk_objects:
-  - field: host
+  - field: dest
     type: system
     score: 40
   threat_objects: