This detection rule monitors successful installations of MSIX/AppX packages on Windows systems, using EventID 854 from the Microsoft-Windows-AppXDeployment-Server/Operational log. It captures data when an MSIX/AppX package is successfully installed, providing visibility into potential unauthorized installations. The detection is particularly valuable when correlated with additional event codes, such as EventID 603 for unsigned packages and EventID 400 for full-trust packages. By analyzing the occurrence of these events, security teams can weed out suspicious installations that may indicate malicious intent. The implementation requires collecting the relevant Windows Event Logs and configuring Splunk to ingest them appropriately. Users are also advised to be aware of potential false positives, as legitimate package installations may trigger alerts. This rule is part of a comprehensive detection strategy and is aligned with activities that fall under the MITRE ATT&CK framework, specifically T1204.002, which addresses user execution vulnerabilities.