Lateral movement plays a vital role in a network attack campaign. After breaking into the intranet, perpetrators penetrate to their final target through this procedure. In order to protect the crucial resources of an enterprise, it is of significant importance to identify lateral movement traces. Previous studies related to this area have proposed several methods. However, most of them failed to raise high-quality alerts; thus security operators cannot identify the real threat from raised massive alerts and make a response in time. To fill this gap, in this paper, we propose a novel approach based on Behavior Deviation Measurement (BEDIM) to raise a few but effective alerts for lateral movement detection. By modeling the behavior deviation level of each machine on the connection expanded graph se-quences, BEDIM can locate unusual connections from massive logs as initial abnormal records. Apart from this, BEDIM also applies a strategy to filter benign records from initial abnormal connections to further reduce false alerts. Compared to related state-of-the-arts, BEDIM is more precise, robust, and efficient. For evaluation, we test BEDIM on two datasets, which are collected from the intranet of two enterprises. And the results demonstrate the effectiveness of our BEDIM.