The gaming industry standard is to observe reported/detected violators several times over the course of months. That way false positives are next to non-existant.

There are severals methods to determining violators that are used in conjunction with each other.

Logged server data, example: Player1 has been harvesting crystals for up to 8 hours a day straight, in the same pattern. Player1 was killed by a roaming A rank NM 10 times in a row in the same spot and continues to return, teleport and wander into the same spot to their death.

GM/investigator observation, example: GM/investigator while invisible or hidden observes player2.

GM/investigator tries to initiate a random conversaion, example GM/investigator sends a tell to player3, "hello player3, i noticed you are an avid battlegrounds goer, and you seem to really like Alterac Valley, i was wondering if you have any feedback about the current state of the game, also how's the weather IRL in your area?" GM/investigator waits for a proper response.

Detection/Triggers Automated anti-cheat: This is like a warning system. *CHEAT DETECTED ALARM GOES OFF AT GM OFFICE* GM/investigator's dont take a closer look until same trigger goes off several or a dozen times for the same offending player.

There's more, but you get the idea.