This detection rule aims to identify the creation of scheduled tasks in Windows via command-line using the 'schtasks.exe' utility combined with the '-create' flag and an XML parameter. The rule leverages telemetry data from EDR agents and focuses on sysmon event data and Windows security logs that capture process execution information. This method is often exploited by malware such as Trickbot and Winter-Vivern to establish persistence on compromised systems or execute malicious payloads without user knowledge. Successful identification of this behavior may indicate compromised systems and potential opportunities for further attacks, such as data exfiltration or ransomware deployment.