This elastic rule detects instances of FortiCloud Single Sign-On (SSO) logins followed closely (within 15 minutes) by the creation of administrator accounts on the same FortiGate device. This behavior is a high-confidence indication of a threat actor exploiting SAML-based SSO vulnerabilities, specifically in line with the FG-IR-26-060 attack pattern. By first authenticating through SSO, adversaries can gain access and leverage that access immediately after to establish persistent accounts on the device, circumventing security controls. The investigation centers on correlating the two events to identify potential breaches or misconfigurations. It includes examining the login and admin creation activities, checking the source and legitimacy of logged-in user accounts, and analyzing system changes following administrator account creation to assess the likelihood of compromise. Users should ensure that if unauthorized activities are found, related accounts are removed and systems are secured to prevent further exploitation.