drop aks audit log · parse api + admin events
flags aad pod identity token usage · cluster admin kubeconfig downloads · rbac admin ops · off-hours activity
heuristic screener · aks diagnostic schema varies by distro/version — column mapping is best-effort · not definitive proof