|Alert Message||Windows audit failure event|
This indicates that the VSS service has gone idle. It would indicate that a process before it (backup, restore, etc) has completed.
The Volume Shadow Copy Service (VSS) provides the ability to create a point in time image (shadow copy) of one or more volumes that can be used to perform backups. The service is also used during restores of applications.
 What you should do
This is an auditing event, indicating that an action has completed. Some auditing frameworks may require this data to be collected. Otherwise, this rule requires no action and could be set to not log.
 False Positives
There are no false positives with this rule.
 Tuning Guidance
If it is not required, this rule can be set to not log or otherwise be disabled safely.
 Additional Information
If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!
 Similar Rules
 Knowledge Base Articles
 Outside References