by
Gravwell
|
This query will show the last set of MSI installers that were fired on each computer.
tag=windows winlog Provider==MsiInstaller EventID==1040 Computer EventData| regex -e EventData "<Data>(?P<msi>.+\.(msi|MSI))</Data>"| last msi Computer| table TIMESTAMP EventID Computer msi
More information available at eventid.
Visit gravwell.io/query to view an archive of our previous Query of the Week posts.
