I would be interested in topics along the lines of best practices for normalizing data from mac+win+linux endpoints so that generic alerts can be created for them.

I don't think there's a simple answer. Depends on the data. And in some cases the platforms cannot easily normalize.

Agreed 🙂 That’s why I’m interested in others’ methods