This rule monitors for newly observed Elastic Defend behavior alerts that occur for the first time in a single day, comparing them against the previous five days of alert history. It is designed to identify low-frequency alerts linked to specific detection rules that have not been previously seen, allowing security analysts to prioritize their triage and response efforts. The detection logic uses an event stream from Elastic Defend to count the number of alerts, track when they were first and last seen, and gather additional context regarding the agents involved, processes, and user actions. Alerts that occur within a short timeframe and show minimal agent interaction are highlighted, completing the preliminary analysis for potential threats such as early malware execution or initial attempts at persistence.