This detection rule is designed to identify newly observed alerts from Palo Alto Networks (PAN) by analyzing logs for alerts that have been recorded within a five-day timeframe. The rule looks at alerts that have not been previously observed, specifically focusing on high-severity events. The core of the rule leverages ESQL (Elastic Search Query Language) to filter relevant log entries, excluding informational and low-severity alerts. The analysis captures the count of alerts, the first time they appeared, and distinct counts of source and destination IPs, applying constraints to ensure that only alerts seen for the first time within a recent time window are flagged. The intention behind this rule is to prioritize potential threats that may indicate an emerging issue that warrants immediate investigation.