Remote Authentication Spike per Account — Lateral Movement Detection

Detects accounts with more than 8 remote authentications within a 30-minute window, a pattern indicative of automated lateral movement or active use of compromised credentials for host pivoting. Aligned with Falcon Identity Threat Protection capabilities for detecting identity abuse and lateral movement in corporate environments.