The rule 'Slack App Added' monitors the addition of applications to a Slack workspace by analyzing Slack audit logs. This detection functionality is critical for identifying unauthorized app installations that could potentially compromise workspace security or lead to data leakage. The rule captures events where apps are installed, focusing specifically on cases where an app is added but the administrator is not included in the app scopes. Several tests validate different scenarios of app installations, ensuring that no unauthorized or unwanted applications are active within the Slack workspace. The incidents are assessed based on the logged user actions, app characteristics, and contextual IP and user data, thereby enabling detection of anomalous behavior related to application management in Slack.