I work for a small company and we're doing an internal 800-171 compliance review. We don't have a security specialist on staff, so a few of us are just trying to work through it and do our best. Our scope is ~20 people using Macs, various AWS services, and Google Drive. A little bit of CUI data here and there.

We've got all of our machines set up with JAMF happily feeding its "level 2" logs to Splunk, so we're good as far as that goes -- but the next step has me stuck. Item 3.14.6, for example, requires us to "monitor" our systems. Well, we've got the all the logs now, but we have no idea exactly what we should be setting up the alerts to be watching for, nor the time to manually be triaging zillions of false alarms if (when) we set the criteria and thresholds naively wrong.

Presumably this requires setting up alerts inside Splunk to watch for certain kinds of events, but we don't know enough about MacOS security, network security in general, or the Jamf event model to be able to create those alerts. Some googling shows many tools out there that do "threat monitoring" and such, but it is not clear to the nonexpert exactly what they do, how they would tie into Jamf/Splunk, if they support events coming from Macs -- or if they are even remotely appropriate for a 20 person shop with no dedicated IT staff.

We'd like to do the right thing, but I've no idea where to go next, or even if I'm asking the right questions.

Ideas or suggestions?

​