drop ping audit log · parse authn + admin events
flags admin config changes · failed sso spikes · adapter swap · off-hours privileged events
heuristic screener · product-specific fields vary by pingfederate/pingone version — mapping is best-effort · not definitive proof