This rule is designed to detect unauthorized remote RPC calls made to the ITaskSchedulerService, which can be an indicator of reconnaissance efforts aimed at retrieving information about scheduled tasks on a system. The detection mechanism utilizes data from the RPC Firewall, requiring proper installation and configuration to monitor RPC traffic effectively. Specifically, it looks for an Event Log entry with the identifier 'RPCFW' and Event ID 3, coupled with a specific Interface UUID associated with task scheduling activities. To minimize false positives, the rule implements a filter that excludes certain Operation Numbers (OpNum) that may otherwise trigger alerts unnecessarily. This proactive measure helps security teams identify potential lateral movement or reconnaissance behaviors that threaten the integrity of the system's scheduled tasks.