This detection rule monitors the first successful login of a user with the 'Administrator' role to the FortiGate management interface within the last five days. Such logins could indicate newly created accounts, potential misconfigurations, or unauthorized access using valid credentials. The rule is based on a combination of ESQL queries that filter for specific log data from Fortinet devices, analyzing both login events and the timing of these activities. The sensitivity of administrator access means that even legitimate first-time logins should be validated thoroughly to confirm they are authorized and expected. Triage steps are provided for investigators to assess if the login is part of a legitimate administrative process or if it raises flags for potential security incidents.