drop duo admin api auth log · parse push + bypass + denial events
flags bypass code usage · push deny-then-allow fatigue · new device first-seen · geo anomalies
heuristic screener · export format varies by tenant/version — column mapping is best-effort · not definitive proof