This detection rule monitors the configuration of new domain applications from the Google Workspace Apps Marketplace. Specifically, it observes admin activity where a user configures a new application. The rule is set to trigger when there is an event logged that contains the addition of an application to a domain, indicating that a new app from the marketplace is enabled. The primary focus is on the action 'ADD_APPLICATION' and changes related to application settings that could potentially highlight unauthorized changes to domain configurations or introduce unrecognized applications. The rule includes baseline tests for expected application addition events, ensuring that legitimate administration actions do not create false positives.