The rule 'Suspicious Application Installed' is designed to identify the installation of potentially malicious applications on Windows systems by examining changes in the application resolver cache. It specifically looks for events corresponding to suspicious applications such as Zenmap, AnyDesk, Wireshark, and OpenVPN through EventID 28115. The rule comprises two main selection criteria: the first targets suspicious application names that appear in the resolver cache, and the second assesses installation events based on AppID associated with known suspicious executables. Detection occurs if either selection criteria is met. However, this rule also accounts for false positives, which may arise from legitimate applications that users or administrators might be using. Therefore, context should be considered when evaluating alerts generated by this detection rule.