This detection rule identifies potential lateral movement activities within an organization's Active Directory (AD) environment by correlating multiple analytic outcomes from the Active Directory Lateral Movement analytic story within a specified time frame. Lateral movement is a technique commonly utilized by attackers to gain access to additional resources within a network. The rule utilizes the Splunk `tstats` command to analyze risk scores and counts of various attributes related to lateral movement. By scrutinizing events where the count of sources surpasses a threshold, it can alert security analysts to possible unauthorized movements within Active Directory that may facilitate privilege escalation, sensitive data retrieval, or persistence in the environment. Implementing this rule can significantly enhance the detection capabilities of a Security Operations Center (SOC). Careful tuning is required to minimize false positives, particularly by adjusting source counts based on unique organizational communications and risk scoring.