The 'Newly Observed FortiGate Alert' rule aims to identify first-time alerts from FortiGate devices within a given timeframe (the past 5 days). This rule operates using ESQL and focuses on low-frequency yet high-severity alerts related to FortiGate's logging, especially concerning network threats. The rule minimizes the potential for false positives by filtering out benign traffic associated with well-known patterns. Alerts are generated if certain criteria regarding the recency and frequency of identified alerts are met. Security analysts are advised to treat such alerts with high priority for validation. Actions include scrutinizing the source IP, reviewing corresponding messages, and taking necessary remediation steps based on the activity's context and legitimacy. Thorough investigation processes and considerations for false positives, such as scans or development activities, are also outlined to guide analysts effectively in determining whether an incident constitutes a genuine threat or is benign.