This detection rule focuses on monitoring the creation of new local user accounts on Fortinet FortiGate Firewalls. It is critical to track new user accounts as they can be leveraged for unauthorized access, particularly for VPN connections. By implementing this rule, organizations can gain insights into potential security incidents, ensuring that any unauthorized modifications to user configurations are flagged for investigation. The rule detects events where the action 'Add' is performed on the local user configuration path ('user.local'), signaling the creation of a new local user. False positives may occur when legitimate account creations happen, necessitating a review of user details to confirm authorization.