The rule 'Rare Schedule Task Created' is designed to detect the creation of scheduled tasks that occur infrequently, which can be indicative of attempts by threat actors to establish persistence on compromised systems. Scheduled tasks are leveraged for executing malicious code at specific intervals or during system events, making them valuable for maintaining access. This detection utilizes Windows Event ID 4698, which logs the creation of scheduled tasks. The logic involves analyzing events logged within specified time windows and filtering tasks that appear fewer than five times, thus highlighting anomalies that could indicate malicious activity. The rule is associated with known threat actors such as APT-K-47 and groups like Turla, suggesting its relevance for advanced persistent threats. Additionally, it points to software abuses, notably by ransomware like BianLian. The rule's implementation through Splunk leverages the `get_endpoint_data` and `get_endpoint_data_winevent` commands to retrieve and analyze endpoint data effectively.