Joint Guidance: Best practices for event logging and threat detection

The National Cyber Security Centre (NCSC) has today released guidance alongside international partners about best practices for event logging and threat detection.

This guidance defines a baseline for logging best practices to mitigate malicious cyber threats.

Best practices for event logging and threat detection was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the NCSC and the following international partners:

  • United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA)
  • United Kingdom (UK) National Cyber Security Centre (NCSC-UK)
  • Canadian Centre for Cyber Security (CCCS)
  • Japan National Center for Incident Readiness and Strategy for Cybersecurity (NISC) and JPCERT/CC
  • The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea)
  • Singapore Cyber Security Agency (CSA)
  • The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

The increased prevalence of malicious actors employing Living Off the Land (LOTL) techniques(external link) to evade detection highlights the importance of implementing and maintaining an effective event logging solution.

This guidance details best practice for event logging and threat detection for cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks. LOTL techniques feature in this guidance as they are a great case study due to the high difficulty of detecting them.

Event logging supports the continued delivery of critical systems and improves the security and resilience of systems by enabling network visibility. This guidance recommends ways to improve an organisation’s resilience in the current cyber threat environment, with regard for resourcing constraints. The guidance assumes a basic understanding of event logging and is of moderate technical complexity.