Looking forward to seeing this implemented. For the majority of our clients we don't have any specific requirements and default to what the Huntress team determines to be ideal for identifying malicious activity or for use in ,post-event forensic investigation.

However, we do have one client who has a specific requirement from a Fortune 5 company that states they collect the below events from their MacOS endpoints to comply with that company's security requirements.

i) Account management events;

ii) Object access;

iii) Policy change;

iv) Privilege functions;

v) Process tracking and system events;

vi) All administrator activity;

vii) Authentication checks;

viii) Authorization checks

ix) Data deletions;

x) Data access;

xi) Data changes;

xii) Permission changes.

Dee you are correct. While the Windows logs are currently available, clients using a Mac don't' have the logs stored for recordkeeping purposes to fulfil Cyber requirements. The majority of my clients are in the non-banking financial services sector such as Registered Investment Advisors.

The SEC has a proposed rule "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies" where the requirement to capture the logs and review logs are mentioned. Refer to the Information Protection, Incident Response, and Recordkeeping.

SIEM logs would need to be stored for 5 years.

I believe the FTC Safeguard Rules - Standards for Safeguarding Customer Information also has overlap here in needing the logs captured.