VSSAudit

1 events across 1 channel

Event ID	Title	Channel
8222		Security

Event ID 8222 —

Provider: VSSAudit
Channel: Security
Collection Priority: Low (Splunk-UBA)

Fields #

Name	Description
`Data_0`	—
`Data_1`	—
`Data_2`	—
`Data_3`	—
`Data_4`	—
`Data_5`	—
`Data_6`	—
`Data_7`	—
`Data_8`	—
`Data_9`	—
`Binary`	—

Example Event #

{
  "system": {
    "provider": "VSSAudit",
    "guid": "",
    "event_source_name": "",
    "event_id": 8222,
    "version": 0,
    "level": 0,
    "task": 3,
    "opcode": 0,
    "keywords": 9268408033128480768,
    "time_created": "2026-03-11T03:42:05.833115+00:00",
    "event_record_id": 2437585,
    "correlation": {
      "ActivityID": "5D4D33E5-5A56-4133-97A4-E47BFB06AB1B"
    },
    "execution": {
      "process_id": 8,
      "thread_id": 1080
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Data_0": "S-1-5-18",
    "Data_1": "NT AUTHORITY\\SYSTEM",
    "Data_2": "0x0000000000001c10",
    "Data_3": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe",
    "Data_4": "{b8e0ebca-16b4-4bca-9c5c-a456b962a8ce}",
    "Data_5": "{72f8ce75-4f61-40c7-88c1-d0380d127139}",
    "Data_6": "{b5946137-7b9f-4925-af80-51abd60b20d5}",
    "Data_7": "LAB-WIN11",
    "Data_8": "\\\\?\\Volume{ce657ebb-70c7-4b8b-a13f-ff11b9725249}\\",
    "Data_9": "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy4",
    "Binary": ""
  },
  "message": ""
}