an administrator account can be created for legitimate purposes. investigate the account details to determine if it is authorized.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/network/fortinet/fortigate/fortinet_fortigate_new_admin_account_created.yml>sigma
technicques: t1136 t1136.001

Techniques

Detects the creation of an administrator account on a Fortinet FortiGate Firewall.

condition: selection
selection:
  action: Add
  cfgpath: system.admin