Lateral Movement via Compromised Identity (Network Logon Multi-Host)

Detects users authenticating over the network to multiple distinct hosts from the same source IP, a characteristic pattern of lateral movement with compromised credentials in APT hands-on-keyboard operations as described in CrowdStrike IR scenarios