This detection rule focuses on identifying lateral movement activities potentially initiated by newly observed users who trigger multiple alerts within a short time frame (10 minutes). The rule aims to enhance threat detection capabilities by prioritizing these events for further investigation, specifically for users first observed in the last five days. The detection logic uses ESQL (Elastic Search Query Language) to aggregate and analyze alerts pertaining to lateral movement-related behavior across different user accounts, ensuring that only those with enough unique alert triggers are flagged. A higher risk score indicates the importance of this rule in the security posture of an organization, particularly in environments vulnerable to unauthorized lateral movements.