This rule is designed to detect modifications made to the protected branch settings of GitHub repositories, which can be critical for maintaining security and code integrity. Specifically, it tracks changes to the configuration settings of branches that are safeguarded under repository rules. The necessity of such monitoring arises from the potential risks posed by unauthorized changes that could undermine an organization's security posture, enabling adversaries to bypass essential safeguards. The rule leverages the GitHub audit logs and focuses on any alterations specified by the 'github.category' as 'protected_branch' and the 'event.type' as 'change'. It operates within the defined timeframe (from the last 9 months) and is built using EQL (Event Query Language) on the logs indexed under 'logs-github.audit-*'. Consequently, when a change is detected, it prompts the need for thorough investigation to confirm its legitimacy, especially due to the ramifications such changes could have on code security workflows. The accompanying investigation guide helps security teams navigate the potential fallout from unauthorized modifications, ensuring that both sides of the problem (false positives and actual security events) are efficiently managed.