This rule is designed to detect when an application integration is installed within an organization's GitHub account. The rule monitors audit logs for specific actions associated with integration installations. It triggers on successful installations (i.e., the event type 'integration_installation.create') and checks if the action was performed by a recognized user in the organization. The GitHub audit logs provide detailed information on the actor, the name of the integration installed, and relevant timestamps. If a suspicious or unintended installation is detected, the rule can help alert the security team to confirm whether the installation was a desired behavior or a potential security concern. The severity of this rule is set to low, indicating that it is essential to monitor but may not require immediate action unless further investigation uncovers malicious intent.