This detection rule identifies high severity alerts from Suricata that have been observed for the first time within the last 5 days of alert history. It is tailored for security analysts who need to prioritize triage and response actions based on new threat signals. The rule operates by collecting alerts from Suricata that meet certain criteria for severity and recency, filtering out high-volume alert scenarios to focus on unique incidents that potentially indicate significant threats. When alerts are captured, they include contextual information such as the source and destination IP addresses, domains, and paths associated with the triggered alerts. This rule emphasizes the importance of timely investigation to distinguish between genuine threats and benign activities, especially by assessing the source behavior and the specifics of the alert. Due to the potential for false positives from vulnerability scanners or newly introduced automation scripts, analysts are advised to thoroughly validate the activities triggering these alerts. If deemed malicious, immediate remediation steps are recommended, including host isolation and forensic artifact collection. Conversely, if deemed non-threatening, documentation and potential adjustment of the rule may be required to minimize future alerts.