This detection rule identifies when a new firewall policy is added to a Fortinet FortiGate Firewall. It particularly looks for events marked by the action 'Add' under the configuration path 'firewall.policy'. The action indicates that a modification to the firewall's ruleset has occurred, which could signal a potential alteration in the security posture of the network. Given that firewall policies are foundational to network security, unauthorized or unexpected additions may facilitate evasive techniques used by attackers to bypass defenses. While legitimate administrative actions may account for some occurrences of this event, the potential for misuse warrants monitoring and response given the context of firewall changes. The medium severity level indicates the need for operational awareness as unauthorized changes can lead to increased risk exposure or misconfigured security settings.