This rule detects the creation of administrator accounts on FortiGate devices, which is a critical security event and often indicates unauthorized access or persistence by threat actors. Administrator accounts should not be frequently created, making such events highly suspicious. The detection is based on EQL (Event Query Language) and tracks specific log events associated with FortiGate device administration. During the FG-IR-26-060 campaign, attackers used compromised FortiCloud SSO to gain access and create multiple super_admin accounts rapidly. Investigation steps include reviewing configuration attributes and ensuring created accounts are authorized. It's crucial to differentiate between potential false positives, such as authorized account provisioning and initial device configurations. If unauthorized activity is detected, immediate remediation steps involve account deletion and restoring device configurations from clean backups. This alert serves as a critical tool in identifying potential breaches and maintaining the integrity of Fortinet systems.