This rule monitors and alerts on updates or deletions of CICD scan policies within the Wiz platform, ensuring that any unauthorized changes are promptly identified and managed. Given the critical role that these policies play in maintaining the security and integrity of the continuous integration and continuous deployment (CICD) pipelines, it becomes essential to track any modifications. The detection method focuses on specific logged actions within audit logs, particularly targeting the ‘DeleteCICDScanPolicy’ action. The alerts are classified as Medium severity, reflecting a typical risk level associated with such configuration changes. The rule includes a runbook for incident response, emphasizing verification of change plans and potential rollback if necessary. Given that unauthorized or unexpected changes can lead to vulnerabilities, this rule is an important safeguard in the operational security framework for CICD environments. Key logs are sourced from the Wiz audit logs, and the setup includes deduplication and threshold settings to manage the volume of generated alerts effectively.