This query will show the last set of MSI installers that were fired on each computer.
tag=windows winlog Provider==MsiInstaller EventID==1040 Computer EventData
| regex -e EventData "<Data>(?P<msi>.+\.(msi|MSI))</Data>"
| last msi Computer
| table TIMESTAMP EventID Computer msi
More information available at http://www.eventid.net/display-eventid-1040-source-MsiInstaller-eventno-10770-phase-1.htm#:~:text=Event%20ID%3A%201040%20Source%3A%20MsiInstaller,-Source&text=This%20event%20indicates%20that%20the,the%20source%20of%20the%20problem.
Visit gravwell.io/query to view an archive of our previous Query of the Week posts.
