This detection rule identifies when important scheduled tasks on Windows systems are deleted, which may indicate malicious activities aimed at stopping critical processes or services. It specifically looks for Event ID 141 from the Task Scheduler operational log, ensuring that the relevant log source is enabled. The rule targets deletions related to specific task names associated with system functionality, such as System Restore, Windows Defender, BitLocker, Windows Backup, Windows Update, Update Orchestrator, and Exploit Guard. The rule applies additional filtering to ignore events from usernames containing 'AUTHORI' or 'AUTORI', minimizing potential false positives. The intent is to uncover actions that may be linked to data destruction or other malicious impacts when adversaries attempt to misuse task scheduling functionalities.