This rule detects the installation of AteraAgent, a remote monitoring and management (RMM) tool, from non-business email providers, which may indicate suspicious activity by an adversary. Adversaries often exploit legitimate applications to establish command and control channels within target environments, allowing for interactive sessions with compromised systems. The detection logic examines EDR logs for instances where AteraAgent is executed with an 'IntegratorLogin' sourced from non-corporate emails, such as Gmail or Hotmail, especially after recent process creation events. This rule aims to identify potentially unauthorized installations or alternative channels of access that may subvert traditional security measures.