This detection rule focuses on identifying suspicious scheduled tasks within Windows environments, specifically those created or modified with certain schedule types that are potentially indicative of malicious activity. The rule inspects the process creation logs for the executable 'schtasks.exe', which is commonly used to create, configure, change, or delete scheduled tasks in Windows. The detection is triggered when any task is scheduled with parameters such as 'ONLOGON', 'ONSTART', 'ONCE', or 'ONIDLE', particularly when run under elevated privileges such as 'NT AUTHORITY' or 'SYSTEM'. The rule is designed to minimize false positives by filtering out legitimate uses, particularly those that are known to behave correctly within specific environments. The implementation of this rule is essential for detecting potential persistence mechanisms employed by attackers as they may use scheduled tasks to maintain access to compromised systems.