This detection rule identifies pull requests made on GitHub by users who are not recognized as part of the organization's known user base. The analytic utilizes a Splunk query to parse GitHub event logs, specifically checking for pull requests where the author's user ID is absent or does not match any entry in the known users lookup table. Pull requests from unknown users pose a significant security risk as they can introduce unauthorized or malicious code to repositories. Investigating such pull requests involves looking into the author details, the repository involved, the head reference of the pull request, and the accompanying commit message. Mitigation actions include thorough reviews of the requester and their changes to prevent potential security incidents like data breaches or unauthorized code changes. The implementation requires indexing GitHub logs using Splunk to ensure visibility into this potential threat.