This detection rule identifies the creation of a new administrator account on Fortinet FortiGate firewalls. It aims to alert security personnel to potential unauthorized changes to the administrative access of the firewall, which could indicate suspicious activity or an insider threat. The rule checks for specific log entries that indicate an action labeled 'Add' in the context of 'system.admin' settings within the FortiGate configuration. In FortiGate's logging architecture, the creation of new administrative accounts is logged, thus providing crucial insights into changes in user privileges. Upon detection, a thorough analysis is advised to confirm the legitimacy of the account creation, especially in scenarios where changes are not scheduled or expected. The recommended practice involves corroborating the activity with organizational policies and operational logs to rule out false positives, as administrator accounts can sometimes be created for valid operational needs.