drop ad event 4662 + laps log · parse password reads
parses directory service access · flags bulk reads · non-admin accessor · after-hours bursts · cross-host sweeps
heuristic screener · laps v1/v2 attribute names vary — 4662 property matching is indicative only · not definitive proof