This detection rule monitors for changes made to self-hosted runner configurations within an organization's GitHub environment. Self-hosted runners are systems that execute jobs from GitHub Actions, and any modifications to their settings could potentially indicate unauthorized access or malicious activities. The detection focuses on a set of defined actions related to the addition, removal, or update of self-hosted runners or their associated groups. Due to the possibility that log entries may not capture the full context of changes, verification through the GitHub UI is advised to understand the implications fully. False positives may occur for legitimate administrative tasks or automated removals due to inactivity of self-hosted runners, which are automatically removed if they haven't connected to GitHub Actions within specified timeframes (14 days for regular runners and 1 day for ephemeral runners). The implementation of this rule requires that the audit log streaming feature be enabled to capture relevant actions in real time.