This detection rule identifies events related to user membership changes within a GitHub organization. Specifically, it monitors for log entries indicating whether a user has been added to or removed from a specified organization. The rule leverages audit logs from GitHub, focusing on actions such as 'org.add_member' for user additions and 'org.remove_member' for user removals. It flags these actions as significant activity within the organization, which may indicate initial access attempts or supply chain compromises. The rule provides an informational severity level as it may not immediately indicate malicious intent but observes changes that could lead to further scrutiny. Test cases validate the rule's functionality by simulating expected logs and matching their outcomes against expected results, ensuring the detection mechanism operates as intended. The source detail can be referenced in GitHub's official documentation related to managing membership in organizations.