The rule detects when a stored procedure is configured for automatic execution in Microsoft SQL Server by monitoring specific events logged in the application log. In SQL Server, a stored procedure set with the 'sp_procoption' command will run automatically each time the server instance starts. This behavior could potentially be exploited by an attacker to maintain persistence within the database environment. The detection is based on the presence of specific event identifiers pertinent to SQL Server, particularly when the event relates to the execution of the 'sp_procoption' stored procedure. To ensure accurate detection, the MSSQL audit policy must be enabled to capture the relevant logs. Administrators might occasionally perform legitimate modifications to stored procedures for various reasons, which could lead to false positives. Therefore, it is crucial to monitor these events closely and contextualize them within operational normalcy.