Include security-focused events on audit logs. These could include: user logins/logouts, add IP addresses to all events, MFA success/failure