This detection rule targets the unauthorized download of FortiGate device configuration files, which can expose sensitive information such as administrator password hashes, LDAP bind credentials, VPN keys, routing tables, and firewall policies. Such configurations can be exploited by threat actors leveraging vulnerabilities like CVE-2026-24858, enabling them to map internal network structures and harvest credentials. The rule monitors logs from Fortinet devices, particularly looking for configuration downloads initiated by users over an interval of 5 minutes, providing early detection of potential security breaches. Investigations should focus on verifying the legitimacy of the user account performing the download, the method used for the export, and any related account changes or suspicious activities following the export.