This detection rule identifies the first successful login to a FortiGate device via FortiCloud SSO from an IP address that has not been seen in the last five days. This is significant due to the potential exploitation of vulnerabilities related to SAML-based authentication. Specifically, the rule focuses on CVE-2026-24858, which allows attackers to gain unauthorized access by using crafted SAML assertions. The rule functions by querying logs from Fortinet devices and checking for successful SSO logins, filtering out routine access from known IP addresses, and only triggering on novel source addresses. Alerts generated by this rule indicate possible unauthorized access and require immediate investigation by checking the source IP against known safe locations and monitoring for administrative actions that could indicate exploitation. Further, the note section includes detailed investigation steps, potential false positive scenarios, and response actions to take when suspicious activity is detected.