drop generic oci registry pull log · parse image pulls + originating ip
flags mass pull bursts · anonymous pulls · suspicious :latest tag overwrites · per-file try/catch
heuristic screener · log format varies by registry distro/version — column mapping is best-effort · not definitive proof