This detection rule identifies instances of self-hosted GitHub Action runners being created by users who are observed for the first time within a five-day window. The underlying risk is that adversaries may exploit these self-hosted runners to execute unauthorized workflow jobs on the organization's infrastructure, posing a potential security threat. The rule is triggered based on the registration of new runners by first-time users and aims to ensure that only authorized individuals can perform such actions. Investigative steps include validating the user's authorization, assessing the purpose of the runner, and checking for sensitive file access. The rule is part of a broader security posture against supply chain attacks and aims to mitigate risks associated with unauthorized command execution on linked systems.