Compromised Identity with Rapid Lateral Movement

Detects suspicious authentication patterns where an account authenticates remotely to multiple hosts in a short time window, indicative of a compromised identity used for lateral movement as observed in CrowdStrike hands-on-keyboard IR scenarios