drop yubikey audit log (where available) · parse credential usage events
flags after-hours OTP bursts · failed auth clusters · same serial across disparate hosts
heuristic screener · export format varies by product — not definitive proof