drop azure storage diagnostic log · parse blob ops
flags blob download bursts · sas token usage · container public access · delete container · off-hours · volume spikes · bulk destructive
heuristic screener · azure diagnostic schema varies by account/version — column mapping is best-effort · not definitive proof