This detection rule monitors changes in GitHub Advanced Security features. Its primary function is to identify when key security tools (like Dependabot and Secret Scanner) are disabled on repositories or organizations. The rule is triggered by specific actions logged in GitHub's audit trails, targeting actions such as disabling secret scanning, Dependabot alerts, and security updates across both individual repositories and organization-wide settings. The severity level for this rule is classified as low, reflecting that while these actions are concerning, they may not always indicate immediate threats but should still be addressed to maintain security hygiene. The runbook advises confirming with GitHub administrators and re-enabling any necessary tools after detection.