This detection rule identifies the disabling of branch protection on GitHub repositories, a potential indicator of malicious activity such as the compromise of administrative credentials. The rule is particularly relevant in contexts where stringent access controls are critical to ensure code integrity and security. The disabling of branch protection could allow unauthorized changes to be made without appropriate checks, thus facilitating malicious intent. The rule relies on audit logs from GitHub to track events related to branch protection statuses. The associated tests verify if branch protection has been disabled or if updates to protection rule names have taken place, categorizing both scenarios by their expected outcomes. Security incidents related to this finding may suggest supply chain compromises or attacks aimed at modifying code without detection.