OK forensics folks! What are some events you'd like to see from Mac logs? Here's the working list I have right now. User created User login/logoff (success & fail) group create group change sudo use app install/delete Please RT! Thanks in advance.

(USB) device connection startup service change/create/delete keyring access iCloud activity Apple ID changes

what sort of iCloud activities? That's hella broad. Any pointers would be appreciated.