Hello everyone!
I’m currently going through a PCI audit process and we need to collect logs for specific events within macOS, we aim to do this with Jamf Protect (Telemetry, Analytics, Unified Logging, whatever fits best honestly). But having rather low success so far, given the amount of noise we get from, probably, too general predicates.
Have you had to set this up? Do you have hints or tips (or, even better, your analytics/filters)?
This is the list of events we want to get logged:
a. all administrative actions
b. accessing audit trails
c. invalid access attempts
d. successful access attempts
e. elevation of privileges
f. creation/deletion/changing an account with admin privileges
g. start/stop/pausing of audit logs
h. creation of system-level objects
Thanks in advance!
