drop gitlab admin audit event export · parse user + project events · runs locally
flags admin setting changes · token creation bursts · protected branch overrides · impersonation events
heuristic screener · partial exports may omit entity ids — timeline correlation is indicative only · not definitive proof