The rule is designed to detect the creation or modification of firewall policies on FortiGate devices that allow unrestricted access—specifically policies that permit all sources, all destinations, and all services. Such permissive policies effectively undermine the firewall's protective capabilities, making devices susceptible to misuse by threat actors, notably those exploiting CVE-2026-24858. The observed tactic involves threat actors creating broad policies to traverse compromised networks without restrictions. This rule uses EQL (Event Query Language) to trigger an alert for any event indicating policy changes that meet the criteria for being overly permissive. Investigative steps following detection involve auditing the user account responsible for the change, checking policy configurations, and identifying potential indicators of compromise or unauthorized changes. Appropriate response actions should be executed swiftly to mitigate potential risks linked to these firewall policy modifications.