This rule provides detection for the rapid creation and deletion of scheduled tasks on Windows systems, indicating potential malicious activity. Adversaries often leverage scheduled tasks for execution and persistence by creating tasks for malicious purposes and then quickly deleting them to evade detection. The rule employs an event query mechanism to monitor Windows logs for such suspicious behavior, specifically looking for a sequence of events that match task creation and subsequent deletion within a five-minute time frame. It filters out actions performed by non-legitimate user accounts to reduce false positives that may arise from legitimate administrative activities. The rule is designed with an understanding that while scheduled tasks can be useful, their inappropriate use can reveal attempts by an attacker to maintain their foothold in an environment or execute harmful payloads.