A. Resource Consumption β anomalous bandwidth or system utilization indicating active attacker activity such as data exfiltration
B. Missing Logs β absence of log entries that should exist, indicating deliberate deletion of forensic evidence
C. Out-of-Cycle Logging β administrative activity recorded outside expected operational schedules
D. Impossible Travel β authentication from two geographically distant locations within a physically impossible timeframe