I have some correlation rule which alert me when software is installed, rule base on on some windows MsiInstaller eventID 1022.
Now i tried to make some exceptions for kind of software like Windows patches, Antivirtus patches, and so one. I realized that i have to use minimum 4 variables contrition:
Sometimes some variable are present in this variable sometimes are not.
My exceptions are in attachment
Unfortunately i get still alerts when for example Object Type is equal 'Update Patch'.