This detection rule identifies the registration of the security event source named VSSAudit in Windows environments. It typically triggers when volume shadow copy operations are executed, which are performed by the Volume Shadow Copy Service (VSS) used for creating backups or snapshots of files or volumes. Event IDs monitored include 4904 and 4905, which respectively signify the registration of a new event source and a change in the state of the event source. While legitimate operations typically utilize these events, this rule proactively monitors these specific conditions to potentially identify unauthorized access or compromise attempts associated with credential access as part of attack techniques outlined in MITRE ATT&CK (specifically T1003.002). The detection is classified as informational, indicating that it is important for monitoring but does not necessarily indicate an active threat by itself. Additionally, the rule acknowledges known false positives, particularly legitimate operations performed by the VSS service itself or backup processes conducted by system administrators.