This query will show the last set of MSI installers that were fired on each computer.

tag=windows winlog Provider==MsiInstaller EventID==1040 Computer EventData
| regex -e EventData "<Data>(?P<msi>.+\.(msi|MSI))</Data>"
| last msi Computer
| table TIMESTAMP EventID Computer msi

More information available at eventid. 

Visit gravwell.io/query to view an archive of our previous Query of the Week posts.