David is a SOC analyst responsible for monitoring critical infrastructure.

The Setup event log is the most relevant Windows log for installation activity because it captures events related to software installation, servicing, and setup operations. For unauthorized application installs, the SOC needs timing, installer context, and evidence of package deployment or configuration changes driven by setup processes. The Setup log can contain MSI and update-related events, component installation records, and indications of system changes tied to installation workflows. The Security log is crucial for attribution (logons, privilege use, process creation if enabled), but it is not specifically focused on installer actions and may not capture full installation details unless advanced auditing is configured. The System log focuses on OS-level service and driver events (boot, service start/stop, hardware/driver issues) and may show related changes but is not the primary installation record. The Application log captures events written by applications themselves, which is inconsistent for installer tracing. In SOC practice, analysts often combine Setup log evidence with Security log context (who logged on, elevated rights, process lineage) and endpoint telemetry to identify the actor and technique, but the best single log for “when and how installs occurred” among these options is the Setup event log.