This detection rule identifies potentially malicious IP addresses that have triggered multiple lateral movement alerts within a short window of time (10 minutes). Specifically, it captures source IPs that have just been observed and have activated at least two different lateral movement detection rules, indicating suspicious activity. The core logic employs ESQL to aggregate alert data based on specific criteria such as the count of unique rules triggered, the frequency of alerts, and the time frame of their occurrence, thus surfacing newly detected sources that exhibit lateral movement behavior. Additionally, built-in checks help filter out benign noise from routine administrative tools or seasonal changes in behavior. The rule not only flags these incidents for investigation but also emphasizes a tailored approach for triaging alerts, substantially aiding incident response teams and security analysts in differentiating true threats from false positives.