drop nextcloud audit log · parse file + share + login events
flags public share links · brute-force login spikes · app passwords · mass deletes · off-hours · actor spikes
heuristic screener · client/export format varies — column mapping is best-effort · not definitive proof