This rule detects when a Scheduled Task is created within a Group Policy Object by monitoring Windows Security logs for writes to the SYSVOL-stored ScheduledTasks.xml and related Policy paths. Specifically, it watches Event ID 5145 (a security share access event) on the SYSVOL share and filters for RelativeTargetName patterns like ...\ScheduledTasks\ScheduledTasks.xml or ...\Policies\*, with AccessList values indicating creation/write access. By aggregating on Computer, ShareName, RelativeTargetName, and AccessList within a time window, it surfaces both the first and last activity times for the event and flags suspicious changes that correspond to persistence via Scheduled Tasks under GPOs. The rule maps to MITRE ATT&CK techniques T1053.005 (Scheduled Task/Job) and T1484.001 (Group Policy Modification/Domain Policy). It can generate alerts even when legitimate GPO deployments occur, so pairing with an allowlist of approved GPO changes reduces false positives. Operationally, this rule assumes logs originate from an EDR/EDR-integrated Windows telemetry source and requires complete command-line context for process-level correlation. The detection can be enriched by correlating with Risk or other detections to assess the overall risk of the affected destination host. References include Microsoft Event ID 5145 documentation and best practices for auditing SYSVOL changes.