This detection rule identifies when a new GitHub App has been installed in an organization's GitHub account. GitHub Apps enhance the functionality of GitHub by allowing integration with repositories and organizational data. However, the installation of these apps requires careful assessment as they come with various permissions that may allow for unauthorized access and manipulation of data. The rule utilizes Event Query Language (EQL) to monitor GitHub audit logs specifically for events that denote a new app installation. With a risk score of 47, the rule emphasizes the medium severity of unauthorized app installations. The potential for exploitation by adversaries necessitates prompt investigation of any new installations to confirm their legitimacy and compliance with security protocols. Recommendations for analysis include reviewing audit logs, verifying the installing account's legitimacy, checking app permissions, and cross-referencing with trusted apps. Additionally, there are guidelines for responding to unauthorized installations, including revoking permissions and notifying the security team.