Latest revision as of 12:54, 21 October 2020 (edit) Scott (Talk | contribs) (Created page with "{{Infobox |header1 = Rule 1 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Windows audit failure event }} = Description = This indicates that the VSS s...")

---

Latest revision as of 12:54, 21 October 2020

Rule 1
Status	Active
Alert Message	Windows audit failure event

Contents 1 Description 1.1 What you should do 2 Troubleshooting 2.1 False Positives 2.2 Tuning Guidance 3 Additional Information 3.1 Support 3.2 Similar Rules 3.3 Knowledge Base Articles 3.4 Outside References 3.5 Notes

[edit] Description

This indicates that the VSS service has gone idle. It would indicate that a process before it (backup, restore, etc) has completed.

The Volume Shadow Copy Service (VSS) provides the ability to create a point in time image (shadow copy) of one or more volumes that can be used to perform backups. The service is also used during restores of applications.

[edit] What you should do

This is an auditing event, indicating that an action has completed. Some auditing frameworks may require this data to be collected. Otherwise, this rule requires no action and could be set to not log.

[edit] Troubleshooting

[edit] False Positives

There are no false positives with this rule.

[edit] Tuning Guidance

If it is not required, this rule can be set to not log or otherwise be disabled safely.

[edit] Additional Information

[edit] Support

If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes