pub fn audit(events: &[UserActivity]) -> Vec<Finding>Expand description
Audit a merged timeline for cross-source user-activity findings.
Emits hedged, low-false-positive observations achievable from the v0.1 sources:
USERACT-EXEC-DURING-REMOVABLE-MEDIA— a shell command executed withinREMOVABLE_MEDIA_WINDOW_SECSof a removable mass-storage device connection (temporal cross-source join). Consistent with activity involving external media (MITRE T1052 / T1091).USERACT-HISTORY-TAMPERED— a history-clearing activity present in the timeline (re-surfaced at the user-activity layer; MITRE T1070.003).
Every finding is an observation, never a verdict.