22 August 2024
The National Cyber Security Centre (NCSC) has today released guidance, developed with international partners, on best practices for event logging and threat detection.
This guidance sets a baseline for logging best practices to mitigate malicious cyber threats.
Best practices for event logging and threat detection was developed by the Australian Signals Directorate’s Australian Cyber Security Centre, in collaboration with the NCSC and the following international partners:
- United States Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency,
- United Kingdom National Cyber Security Centre,
- Canadian Centre for Cyber Security,
- Japan National Center for Incident Readiness and Strategy for Cybersecurity and JPCERT/CC,
- The Republic of Korea National Intelligence Service (NIS) and NIS’s National Cyber Security Center,
- Singapore Cyber Security Agency, and
- The Netherlands General Intelligence and Security Service, and Military Intelligence and Security Service.
The increased use of Living Off the Land (LOTL) techniques by malicious actors to evade detection highlights the importance of implementing and maintaining effective event logging.
This guidance outlines best practice for event logging and threat detection across cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks. LOTL techniques are included in this guidance as they are a great case study due to the challenges they pose for detection.
Event logging helps maintain the delivery of critical systems and strengthens security and resilience by improving network visibility. This guidance recommends ways to improve organisational resilience in today’s cyber threat environment, while taking resource constraints into account. The guidance assumes a basic understanding of event logging and is moderately technical.
Best practices for event logging and threat detection [PDF, 1001 KB]