This detection rule focuses on the identification of new GitHub Personal Access Tokens (PATs) that are created within a GitHub organization. It is particularly relevant in the context of cybersecurity because adversaries often create personal access tokens to maintain persistent access to compromised accounts or escalate privileges within an organization. This rule employs EQL (Event Query Language) to filter logs from GitHub's audit dataset to find instances where a new PAT has been granted access. The rule is applicable for identifying potential misuse or unauthorized access resulting from an attack, making it a crucial part of monitoring GitHub activities. The risk score associated with this detection is rated at 21 and is categorized under a low severity. The rule's operational context is captured by its associations with the MITRE ATT&CK framework, particularly under the tactics of 'Persistence' and 'Credential Access'. Relevant references to the MITRE ATT&CK techniques involved, namely 'Create Account' (T1136) and 'Steal Application Access Token' (T1528), provide additional insights into the potential malicious behaviors this rule is designed to detect.