This rule is designed to detect events related to the creation of volume shadow copies on Windows systems. Volume Shadow Copy Service (VSS) allows backups and recovery of data, which is sometimes exploited by attackers to obtain credential information by accessing shadow copies of critical data, particularly the SAM (Security Account Manager) database. This detection focuses on monitoring Windows Event Logs for specific indicators, particularly Event ID 98 from the Microsoft-Windows-Ntfs provider, which indicates a volume shadow copy has been created. The detection specifically looks for the presence of a device name that contains 'HarddiskVolumeShadowCopy'. The context of use should be carefully evaluated, as legitimate activities might generate similar events, warranting a low false positive rate for benign use cases such as legitimate backup processes. Overall, this rule thus serves as an essential alert mechanism for identifying potential unauthorized access or manipulation of shadow copies in the environment.