How would you interpret logs from SIEMs, EDRs, and firewalls to reconstruct a timeline of events at T-Mobile?