This detection rule aims to identify instances where a security workflow in GitHub Actions is disabled. It specifically focuses on workflows other than those incorporating ‘security-testing’ in their names, tracking such events in response to push or pull request actions. The expectation is that disabling these workflows could indicate an attempt by an adversary to thwart security measures in order to introduce potentially malicious code undetected. Utilizing GitHub logs, the rule consolidates relevant statistics and metadata associated with the incident, thereby enabling the tracking of changes within the repository.