This detection rule focuses on identifying remote procedure calls (RPCs) targeting the scheduled task management component within Windows systems, specifically through the AtScv interface. The rule utilizes logs from a custom RPC Firewall implementation designed to block unauthorized access attempts while providing auditing capabilities for legitimate requests. By monitoring for specific event logs (RPCFW) that indicate an interaction with the AtScv interface, the rule aims to capture possible reconnaissance activities that could signal an attacker probing the environment to gather information on scheduled tasks. The defined selection criteria involve checking for EventID 3 in the logs, along with a unique interface UUID tied to the AtScv functionality. To enhance the accuracy of detections, the rule also applies a filtering condition that excludes common operational numbers (OpNum values of 0 and 1), which are deemed benign. The overall intent of the rule is to bolster visibility into potential lateral movement attempts and unauthorized reconnaissance activity, enhancing proactive defense mechanisms against potential intrusions.