This analytic rule is designed to detect potential exploitation attempts of CVE-2022-40684, which is an authentication bypass vulnerability found in Fortinet appliances. The detection focuses on identifying anomalous REST API requests directed at the /api/v2/ endpoint across various HTTP methods including GET, POST, PUT, and DELETE. Unauthorized modifications such as user creation or SSH key additions may indicate exploitation attempts of this vulnerability, which could lead to malicious actors gaining unauthorized access, rerouting network traffic, or extracting sensitive data from the appliance. The rule effectively utilizes the Web datamodel to monitor specific patterns in URLs and HTTP methods. By aggregating data based on user agent, HTTP method, source, and destination, the rule facilitates the identification of potentially malicious interactions with Fortinet appliances.