This analytic rule detects the execution of the command to disable a scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. It utilizes data from Endpoint Detection and Response (EDR) agents, specifically looking at process names and command-line arguments. This action is significant because disabling scheduled tasks can be a tactic used by adversaries, including malware such as IcedID, to evade detection, remain undetected, and disable security applications. The rule helps identify potential malicious actions that could compromise the integrity of a Windows host by leveraging various event logs, including Sysmon and Windows Event Logs. If this behavior is confirmed as malicious, it represents a critical operational risk, allowing attackers to bypass security measures and escalate their attacks.