This analytic rule identifies the creation of self-hosted runners in GitHub Enterprise by monitoring audit logs for registration actions at the organization or enterprise level. Self-hosted runners can execute jobs on infrastructure controlled by users, making them potentially vulnerable to exploitation. Compromised runners could lead to remote code execution, data exfiltration, and lateral movement within the network. Therefore, monitoring their creation is critical for security operations center (SOC) teams to verify legitimate use, especially if they are generated by unknown users or in unexpected contexts. This detection aims to flag such actions to prevent abuse and maintain a secure GitHub Enterprise environment.