This detection rule is designed to monitor and analyze the creation or modification of GitHub Actions workflow files on Linux and Windows endpoints within an organization. It specifically tracks all activities occurring in the '.github/workflows' directories, with a focus on YAML files. The goal is to establish baselines for normal CI/CD activities while identifying any suspicious or unauthorized changes that could indicate a supply chain attack. Given that GitHub Actions workflows can access privileged deployment credentials and secrets, they are attractive targets for attackers. This rule helps to detect unusual patterns such as unexpected workflow creation or modifications during non-standard change windows, hence improving security posture against potential supply chain compromises, including known threats like the Shai-Hulud worm.