This detection rule identifies the installation of MSI (Microsoft Installer) files being executed from remote web locations. It specifically targets events logged by the 'MsiInstaller' service in Windows, looking for Event IDs 1040 and 1042, which indicate that an installer package is being installed. The rule employs a conditional selection process to determine if the data being logged contains a URL ('://'), which suggests that the MSI is being downloaded from the internet rather than a local source. The primary concern with such installations is that they can be a vector for unpredictable or malicious software installations, as attackers may utilize web-hosted MSI files to deliver payloads. An understanding of the context in which these events occur is necessary to distinguish between legitimate software installations and potentially harmful actions, hence the designation of medium-level risk. This rule is particularly relevant for maintaining security in environments where software installations are closely monitored and controlled, as it helps in mitigating the risks associated with unauthorized or unexpected downloads executed from web-based sources.