This detection rule identifies attempts to back up the Data Protection API (DPAPI) Domain Master Key on Windows systems. The DPAPI provides cryptographic services for safeguarding sensitive data on Windows platforms, and the Master Key is crucial for decrypting data that has been protected using DPAPI. An event is generated every time a backup is initiated for this key, which is tracked with Event ID 4692. The rule aims to alert security teams about potential unauthorized attempts to access sensitive encryption keys, which could indicate malicious activities aimed at compromising protected data. The fallback mechanism in place for domain members, which inadvertently creates legitimate events, is noted as a common false positive for this rule. Nevertheless, monitoring these backup attempts is critical for maintaining security in environments where DPAPI is utilized.