This detection rule identifies updates made to scheduled tasks on Windows systems by monitoring relevant Windows event logs. Adversaries may exploit scheduled tasks to ensure persistence on a compromised system by altering legitimate task configurations, which can include enabling or disabling tasks. These changes are potentially harmful as they allow attackers to maintain their foothold in the environment while evading detection. This rule uses EQL (Event Query Language) to filter events based on specific criteria, excluding benign updates typically performed by system accounts and common predefined tasks identified as safe. The detection focuses on unusual updates that deviate from normal behavior, thus highlighting potential malicious activity that may indicate an ongoing attack or compromise. Potential false positives include legitimate updates from system accounts or software installations that generate task changes during setup, which this rule accounts for by filtering accordingly. For investigation, actions may include reviewing logs for specific task changes, checking associated user accounts for any signs of compromise, and correlating the update with other security events.