The 'High Number of Closed Pull Requests by User' rule detects a significant surge in closed pull requests made by a single user in a limited timeframe, specifically over eight minutes, considering events occurring in the past nine minutes. This behavior could indicate malicious activities where adversaries may be attempting to alter or disrupt development processes by quickly closing multiple pull requests. The rule operates on data from GitHub audit logs and employs ESQL (Event Structured Query Language) for querying. It particularly focuses on instances when the event type is a 'change' and the action defined is 'pull_request.close'. The detection criteria are set to trigger when the closed pull requests count reaches or exceeds ten, thus indicating potentially disruptive actions that can heighten risks to ongoing development projects. The rule is classified under the medium severity risk score of 47 and pertains to both the Impact and Exfiltration tactics of the MITRE ATT&CK framework.