This detection rule identifies when a user creates a new action secret within GitHub for various scopes including organization, environment, codespaces, or repository. Monitoring the creation of action secrets is crucial, as secrets can store sensitive information such as access tokens and API keys, which if compromised, could lead to unauthorized access or privilege escalation. The rule specifically monitors for four distinct actions associated with secret creation. The audit log streaming feature in GitHub must be enabled to collect these logs effectively. When a new secret is created, it is vital to review the situation as it may indicate attempts of defense evasion, persistence, or initial access by threat actors. False positives may arise, especially in environments where new secrets are frequently added; therefore, validating the actions of the actor creating the secret is necessary to mitigate unnecessary alerts.