This rule identifies instances where multiple distinct source IP addresses successfully log in to the FortiGate management interface using the same Administrator account within a 24-hour timeframe. Such behavior may indicate potential credential sharing, compromised credentials, or unauthorized access, warranting investigation due to the elevated risk attached to Administrator account access. The rule executes queries on log data from Fortinet to capture successful authentication events tied to the Administrator role. The timeframe of detection is dynamically set to 24 hours, with a query interval of 5 minutes, capturing pertinent details such as login count, distinct source IP addresses, and timestamps for appropriate context. Administrators are advised to review suspected accounts for potential misuse or compromise and assess the context of access patterns against established baselines for expected administrative behavior. Triage steps recommend validating the legitimacy of access, analyzing geographical data from IP sources, and correlating with possible administrative actions post-login.