drop onelogin event log · parse user + app events
flags assume-user chains · app provisioning bursts · failed login clusters · policy bypass notes
heuristic screener · export format varies by admin portal — not definitive proof