This detection rule identifies changes made to the SSH certificate configuration within a GitHub organization. Specifically, it monitors for actions that involve creating SSH certificate authorities or disabling SSH certificate requirements. The SSH certificate configuration is critical for secure user authentication and access control in GitHub repositories. Unauthorized modifications could indicate potential security incidents such as privilege escalation or persistence threats. The audit log streaming in GitHub must be enabled to capture and analyze these changes effectively. The rule's level is classified as medium given the implications of such changes on the security posture of the organization. Administrators may perform legitimate activities that could trigger this alert. Therefore, a thorough review of the context surrounding detected changes is vital to ascertain their legitimacy.