This rule detects the creation of a scheduled task using the Schtasks.exe utility to run under the SYSTEM user account, indicating a potential malicious activity that could escalate privileges or maintain persistence in the compromised environment. It monitors command-line executions and process details through data sourced from Endpoint Detection and Response (EDR) solutions like Sysmon and Windows Event Logs. A new task created to run as SYSTEM can lead to severe consequences such as unauthorized data access, ransomware attacks, or overall system compromise, thus warranting immediate investigation. The rule aims to identify such potentially harmful activities to prevent further incidents.