Detects the creation of a plugin archive (ZIP) under the TeamCity plugins directory, indicating a potential plugin installation on the TeamCity server. While legitimate plugin updates may occur, unexpected installations can enable adversaries to execute code on the server. The rule leverages endpoint telemetry (Sysmon FileCreate events via the Endpoint data model) to identify ZIP files created in the JetBrains TeamCity plugins path. It requires complete command-line data and process lineage (process GUID, name, parent process) from an EDR, normalized through Splunk CIM and mapped to the Endpoint Processes and Filesystem data models. The search aggregates by destination host, file action, file name, user, vendor product, file creation time, and related process information, then applies a filter (windows_teamcity_plugin_installed_filter) to refine detections. A detected event generates an RBA with a risk object on the destination host and a threat object on the file path, accompanied by a descriptive alert message that a plugin archive was created on the target. False positives include legitimate administrator plugin installations, which should be reconciled with change-management records before investigation.