Compromised Identity Multi-Host Lateral Movement via Admin Protocols

Detects potentially compromised identities performing lateral movement by identifying users with connections to multiple distinct hosts via remote administration protocols (SMB, RDP, WinRM, SSH). Inspired by CrowdStrike IR use of Falcon Identity Threat Protection to identify active hands-on-keyboard adversaries abusing valid credentials.