A recent update was attempted to be applied to a workstation during routine patching.  During the process our EDR Crowdstrike alerted on two actions: VolumeShadowSnapshotHidden and VolumeShadowSnapshotDeleted and subsequently Crowdstrike quarantined the machine as the alert/action met our defined threshold for auto-containment.

With the heightened awareness around cybersecurity and current geo-political tensions, I'm seeking information on whether this activity is expected as it's not a common occurrence with other patching cycles. 

Command line: "C:\ProgramData\Package Cache\{2386715b-3ada-45f9-a7d4-d04786a8a113}\PBIDesktopSetup.exe" -q -burn.elevated BurnPipe.{32D4C68A-8C9D-4A1B-80B3-52A7B01AEC62} {B73DAC89-FAAC-4650-B4DB-5DAAF551C508} 11288

File Path: \Device\HarddiskVolume2\ProgramData\Package Cache\{2386715b-3ada-45f9-a7d4-d04786a8a113}\PBIDesktopSetup.exe

SHA256: cb72c6dd861a4e14572a5ff6983f103ba8d7aed6264f6baa27acb937db45752c

Thanks in advance.