Timely Analysis of Workstation Event Logs for Cybersecurity
Quickly analyze workstation logs to detect security issues.
Plain language
This control is about making sure we regularly check and analyse the event logs on our computers to spot signs of cyber threats. Think of it like regularly checking your bank statement for any suspicious activity. If we don't do this, cyber criminals might break into our systems and cause harm before we're even aware there's a problem.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Event logs from workstations are analyzed in a timely manner to detect cyber security events.
Why it matters
If workstation event logs aren’t analysed promptly, malicious activity can go unnoticed, delaying detection and response and increasing the scope of compromise.
Operational notes
Schedule workstation event log reviews and tune alert rules so high-risk events are triaged quickly; document review frequency, escalation steps and retention.
Implementation tips
- The IT team should ensure logs from all workstations are being collected centrally. They can do this by setting up a system that gathers logs from each computer in one place.
- The security officer should schedule regular reviews of log data. This can be done by setting up a calendar reminder to check the logs at least once a day.
- System administrators should automate the analysis process. They can use software tools that scan the logs and alert when something unusual happens.
- The IT team should ensure the logging system is set up to prevent unauthorized access or changes to the logs. They can do this by setting permissions that limit who can view or alter logs.
- Security officers should create a plan for what to do if they find something suspicious in the logs, including who to notify and what steps to take next.
Audit / evidence tips
-
AskWho is responsible for reviewing workstation event logs and how often is it done?
-
GoodEvidence shows logs are reviewed daily with automated alerts set for suspicious activity
-
AskCan you show how logs are stored and protected from tampering?
-
GoodLogs are stored securely with access control settings preventing unauthorised alterations
Cross-framework mappings
How E8-AH-ML3.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | E8-AH-ML3.5 requires event logs from workstations to be analysed in a timely manner to detect cyber security events | |
| Annex A 8.16 | E8-AH-ML3.5 requires timely analysis of workstation event logs to detect cyber security events | |
| handshake Supports (1) expand_less | ||
| Annex A 5.25 | E8-AH-ML3.5 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1228 | E8-AH-ML3.5 requires analysing workstation event logs in a timely manner to detect cyber security events | |
| sync_alt Partially overlaps (6) expand_less | ||
| ISM-1906 | E8-AH-ML3.5 requires timely analysis of workstation event logs to detect cyber security events | |
| ISM-1907 | E8-AH-ML3.5 requires timely analysis of workstation event logs to detect cyber security events | |
| ISM-1960 | E8-AH-ML3.5 addresses timely analysis of workstation event logs to detect cyber security events | |
| ISM-1961 | E8-AH-ML3.5 requires event logs from workstations to be analysed in a timely manner to detect cyber security events | |
| ISM-1986 | E8-AH-ML3.5 requires timely analysis of workstation event logs to detect cyber security events | |
| ISM-1987 | E8-AH-ML3.5 requires event logs from workstations to be analysed in a timely manner to detect cyber security events | |
| extension Depends on (3) expand_less | ||
| ISM-0120 | E8-AH-ML3.5 requires timely analysis of workstation event logs to detect cyber security events | |
| ISM-0580 | E8-AH-ML3.5 requires timely analysis of workstation event logs to detect cyber security events | |
| ISM-2051 | E8-AH-ML3.5 requires organisations to analyse workstation event logs in a timely manner | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.