This analytic rule detects the execution of Windows Scheduled Tasks using the command line, specifically monitoring for instances where 'schtasks.exe' is used with the 'run' argument. The detection leverages data from endpoint logs that provide insights into the execution of processes, focusing on key attributes such as the name of the process, its parent process, and the complete command line executed. The significance of this detection lies in the possibility that attackers may exploit scheduled tasks for persistence or lateral movement, thereby posing a greater risk to network security. The rule employs various data sources, including Sysmon EventID 1 and Windows Event Log Security 4688, to track relevant process activities. Users should be aware of potential false positives related to legitimate administrative actions involving the Scheduled Task utility and may require adjustments to filter out benign use cases.