This detection rule identifies the creation or deletion of scheduled tasks through the 'schtasks.exe' utility, particularly examining the use of the '-create' and '-delete' flags. The analysis leverages data collected from Endpoint Detection and Response (EDR) agents, focusing specifically on command-line executions and process names. This behavior is critical to monitor as it may signal unauthorized actions or malicious activities from threat actors, including advanced persistent threats like Dragonfly or operations such as the SUNBURST attack. Malicious creation or deletion of scheduled tasks can lead to code execution, privilege escalation, or persistent presence in the system, ultimately compromising security. The rule is rooted in power usage of EDR log data, primarily using Sysmon Event IDs and Windows Event Log Security data to track these significant events.