drop kafka audit log · parse producer + consumer events
flags denied produce/consume · ACL changes · principal enumeration · timeline + severity/reason
heuristic screener · audit schema varies by kafka version and authorizer — not definitive proof