diff --git a/it-and-security/lib/collect-software-permissions-system.queries.yaml b/it-and-security/lib/collect-software-permissions-system.queries.yaml
new file mode 100644
index 0000000000..0f576ffcf7
--- /dev/null
+++ b/it-and-security/lib/collect-software-permissions-system.queries.yaml
@@ -0,0 +1,5 @@
+- name: Collect software permissions (system)
+  description: "Research for #16899"
+  query: SELECT * from tcc_system;
+  interval: 3600 # 1 hour
+  platform: darwin
\ No newline at end of file
diff --git a/it-and-security/lib/collect-software-permissions-user.queries.yaml b/it-and-security/lib/collect-software-permissions-user.queries.yaml
new file mode 100644
index 0000000000..b8b0e7c75b
--- /dev/null
+++ b/it-and-security/lib/collect-software-permissions-user.queries.yaml
@@ -0,0 +1,5 @@
+- name: Collect software permissions (user)
+  description: "Research for #16899"
+  query: SELECT * from tcc_user;
+  interval: 3600 # 1 hour
+  platform: darwin
\ No newline at end of file
diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml
index e5ad3636eb..e2550b4b88 100644
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@@ -26,14 +26,40 @@ agent_options:
       platforms:
         darwin:
           auto_table_construction:
-            tcc:
+            tcc_system:
               path: /Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, auth_value, auth_reason from access'
+              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
               columns:
                 - service
                 - client
+                - client_type
                 - auth_value
                 - auth_reason
+                - auth_version
+                - csreq
+                - policy_id
+                - indirect_object_identifier
+                - indirect_object_identifier_type
+                - indirect_object_code_identity
+                - flags
+                - last_modified
+            tcc_user:
+              path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db
+              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
+              columns:
+                - service
+                - client
+                - client_type
+                - auth_value
+                - auth_reason
+                - auth_version
+                - csreq
+                - policy_id
+                - indirect_object_identifier
+                - indirect_object_identifier_type
+                - indirect_object_code_identity
+                - flags
+                - last_modified
 controls:
   enable_disk_encryption: true
   macos_settings:
@@ -92,3 +118,5 @@ queries:
   - path: ../lib/collect-failed-login-attempts.queries.yml
   - path: ../lib/collect-usb-devices.queries.yml
   - path: ../lib/collect-vs-code-extensions.queries.yml
+  - path: ../lib/collect-software-permissions-system.queries.yml
+  - path: ../lib/collect-software-permissions-user.queries.yml