Event ID 854 — Successfully added the following uri(s) to be processed: Path.

Provider: Microsoft-Windows-AppXDeployment-Server
Channel: Operational
Level: Informational
Task: AppXDeployment.Task.Server.Deployment

Description

Successfully added the following uri(s) to be processed: Path.

Message #

Successfully added the following uri(s) to be processed: %1.

Fields #

Name	Description
`Path` UnicodeString	Successfully added the following uri(s) to be processed.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppXDeployment-Server",
    "guid": "3F471139-ACB7-4A01-B7A7-FF5DA4BA2D43",
    "event_source_name": "",
    "event_id": 854,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 4611686018427387905,
    "time_created": "2023-11-06T06:23:17.526216+00:00",
    "event_record_id": 6800,
    "correlation": {
      "ActivityID": "626F7C94-1079-0000-B9AE-6F627910DA01"
    },
    "execution": {
      "process_id": 1532,
      "thread_id": 1660
    },
    "channel": "Microsoft-Windows-AppXDeploymentServer/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Path": " C:\\Program Files\\WindowsApps\\MicrosoftWindows.Client.WebExperience_423.23500.0.0_neutral_~_cw5n1h2txyewy\\AppxMetadata\\AppxBundleManifest.xml C:\\Program Files\\WindowsApps\\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\\AppxManifest.xml"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Remote AppX Package Downloaded from File Sharing or CDN Domain source high: Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
AppX Located in Known Staging Directory Added to Deployment Pipeline source high: Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
AppX Located in Uncommon Directory Added to Deployment Pipeline source medium: Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.

Splunk # view in reference

Windows AppX Deployment Package Installation Success source: This analytic detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. This event is generated when an MSIX/AppX package has been successfully installed on a system. While most package installations are legitimate, monitoring these events can help identify unauthorized or suspicious package installations, especially when correlated with other events such as unsigned package installations (EventID 603 with Flags=8388608) or full trust package installations (EventID 400 with HasFullTrust=true).

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline