This detection rule identifies when critical security configurations related to GitHub organizations are disabled. Specifically, it targets changes to advanced security features such as Business Advanced Security, organization-wide OAuth app restrictions, and two-factor authentication requirements. Disabling these features can increase vulnerabilities in the organization as they play a crucial role in maintaining security protocols and protecting sensitive data. This rule leverages GitHub's audit logs, allowing security teams to track and address these modifications promptly to prevent potential breaches or unauthorized access. To utilize this rule, organizations must enable audit log streaming as outlined in GitHub's documentation.