This detection rule identifies the creation of scheduled tasks on remote Windows endpoints using the 'at.exe' command, which may signify lateral movement or remote code execution attempts. The rule utilizes telemetry from Endpoint Detection and Response (EDR) tools, specifically monitoring process creation events that involve 'at.exe' with arguments indicating remote execution. This is crucial for Security Operations Centers (SOCs) as it helps detect potentially malicious activities that could lead to unauthorized access or system compromises. The rule requires ingesting logs that detail process activities, including their command-line arguments, to ensure visibility into potentially harmful operations.