drop truenas audit + middleware log · parse share access + administrative changes
flags SMB share permission edits · API key creation · dataset destroy · replication job changes · off-hours · actor spikes · bulk destructive
heuristic screener · client/export format varies — heuristic parsing only · TrueNAS Scale/Core log schemas differ · not definitive proof