Timely analysis of workstation event logs for security events
Regularly check logs on office computers to find security issues early.
Plain language
Checking the event logs on your office computers regularly helps catch security problems early, like someone trying to hack in or mess with your systems. If you don’t keep an eye on these logs, a cybercriminal could sneak in, and you might not know until they’ve stolen sensitive information or disrupted operations.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Event logs from workstations are analysed in a timely manner to detect cyber security events.
Why it matters
Neglecting timely log analysis allows attackers to escalate privileges undetected, leading to potential data breaches or operational disruption.
Operational notes
Review workstation event logs daily and triage alerts to spot suspicious sign-ins, privilege changes and malware activity early.
Implementation tips
- The IT team should set up a routine schedule to review workstation event logs, ensuring they are checked at least once a week. They could use specific software that collects these logs automatically and highlights any unusual activity.
- System administrators should train employees about the importance of logging suspicious activity, teaching them to report anything unusual on their workstations immediately. This can be done through annual security awareness training sessions.
- Security officers should develop a baseline of what normal event log activity looks like for the organisation. This can be achieved by analysing logs over time to identify typical patterns and flagging deviations for investigation.
- IT managers should ensure that all office computers are configured to retain event logs for a minimum period, such as six months, to allow adequate time for analysis. This may require adjusting system settings or using log management tools.
Audit / evidence tips
-
AskHow frequently are workstation event logs reviewed?
GoodWorkstation logs are reviewed weekly with results documented
-
AskWhat tools or methods are used to analyse workstation event logs?
GoodThe organisation uses specific log management software that automatically collects and highlights potential security events
-
AskHow do employees report unusual system activity?
GoodEmployees receive annual training and have a simple, documented process to report suspicious activity
-
AskHow long are workstation event logs retained?
GoodEvent logs are retained for at least six months, as confirmed by system settings or policy documents
Cross-framework mappings
How E8-RA-ML3.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.28 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
| link Related (1) expand_less | ||
| Annex A 8.16 | Annex A 8.16 requires organisations to monitor networks, systems and applications for anomalous behaviour and take action to evaluate pot... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1228 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-1537 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
| ISM-1907 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
| ISM-1960 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
| ISM-1961 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
| ISM-1986 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
| extension Depends on (1) expand_less | ||
| ISM-2051 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
| link Related (1) expand_less | ||
| ISM-1987 | ISM-1987 requires event logs from security products to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.