Timely Analysis of Event Logs for Cybersecurity
Internet-facing device logs are quickly reviewed to find security issues.
Plain language
Event logs from devices that connect to the internet are reviewed quickly to catch any security issues. This is important because if someone tries to hack your network or steal your information, the logs might show unusual activity. If these aren't checked regularly, you might miss early warnings and suffer data loss or a cyber incident that could have been prevented.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log MonitoringOfficial control statement
Event logs from internet-facing network devices are analysed in a timely manner to detect cyber security events.
Why it matters
Delayed analysis of internet-facing device logs can lead to undetected intrusions, resulting in data breaches and compromised network integrity.
Operational notes
Review internet-facing device event logs daily and alert on suspicious activity (e.g., repeated failed logins, config changes), escalating incidents for investigation.
Implementation tips
- The IT team should establish a routine for checking event logs from internet-facing devices. They can do this by setting up a daily schedule to review these logs and flagging anything out of the ordinary. This can be done using software that highlights suspicious patterns or manual checks if resources are limited.
- Managers should allocate responsibility for log reviews to a specific team member or group. They need to ensure that this person or group is trained to know what to look for, such as unauthorised access attempts, and has the time and resources to do it consistently.
- System owners should work with IT staff to ensure all internet-facing devices have logging enabled. They should confirm that logs are being stored securely and are accessible for review without being tampered with. This might involve configuring settings on routers, firewalls, and servers.
- IT teams should ensure that the logs cover an adequate period to detect patterns over time. A general rule is to retain logs for at least 90 days. This allows for a window to spot trends or repeated issues that might be missed with shorter logs.
- Regularly update the team’s methodology on what to review in the logs based on the latest security threat information. IT and security staff should stay informed through trusted sources, such as the Australian Cyber Security Centre, to keep their approach current.
Audit / evidence tips
-
Askthe latest event log review schedule: Request to see the calendar or documentation that details when and how often logs are reviewed. Look to ensure a clear schedule is in place with assigned personnel
Goodwill show logs are reviewed daily or weekly by named individuals
-
Aska sample of recent reviewed logs: Obtain logs marked with identified incidents or anomalies
-
Askdocumentation on log retention policies: Request the policy document that outlines how long logs are kept. Look to ensure it states the retention period and secure storage practices
Goodwill match industry standards, such as the recommended 90 days or more
-
Askto see the training records for team members responsible for log review: Verify completion of training specific to identifying log integrity and anomalies
Goodwill show recent training completion, ideally from credible sources like the Australian Signals Directorate
-
Aska report on recent security incidents identified through log analysis: Request to see a brief report detailing incidents flagged from logs
Goodoutcome indicates rapid identification and mitigation efforts based on the logs
Cross-framework mappings
How ISM-1960 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.21 | ISM-1960 supports Annex A 8.21 by specifying a monitoring technique for internet-facing devices | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (6) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (2) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.