drop authentication log + device fingerprint + email change log · attribute initial access + lateral movement · runs locally
auth log · device fingerprint · email change · local only
heuristic screener · vendor schema varies · not definitive proof