Allowed and blocked application control events are centrally logged
Ensure all application control events are logged in a central location for monitoring.
Plain language
Imagine your computer as a secure building. This control acts like a guard keeping track of everyone allowed in or stopped at the door. By logging these events centrally, you can quickly spot if intruders are trying to get in or if something unusual is happening. Without this, dangerous software could sneak in unnoticed, putting your data and operations at risk.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Allowed and blocked application control events are centrally logged.
Why it matters
Without central logging of application control events, suspicious activity could go unnoticed, leaving the organisation vulnerable to stealthy cyber attacks.
Operational notes
Configure application control to forward allowed/blocked events from all endpoints to a central log platform for alerting and investigation.
Implementation tips
- The IT team should ensure that all application events, both allowed and blocked, are logged. This can be done by configuring the application control software to send logs to a central logging system.
- System administrators need to set up a central logging server. They can do this by deploying software like a logging service on a secure server designed to collect and store logs from different systems.
- IT staff should configure alert mechanisms. They can set up the central log system to send alerts to the IT team when certain patterns, like repeated block attempts, are detected in the logs.
- Security officers should review the central logs regularly for anomalies. This involves analyzing the logs to look for any unusual patterns or behaviors that might indicate a security breach.
- IT support should ensure the central log storage is secure. They can do this by setting permissions so only authorised personnel can access or modify log files, protecting them from tampering.
Audit / evidence tips
-
AskCan you show where application control logs are being stored centrally?
-
GoodThe logs are consistently centralised on a secure server, and we can see entries for both allowed and blocked application events
-
AskHow are these logs protected against unauthorised changes?
-
GoodAccess controls are in place, granting log access only to authorised personnel, with logs showing no unauthorised changes
Cross-framework mappings
How E8-AC-ML2.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | E8-AC-ML2.5 requires organisations to centrally log allowed and blocked application control events | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | E8-AC-ML2.5 requires organisations to centrally log allowed and blocked application control events | |
| extension Depends on (1) expand_less | ||
| Annex A 8.17 | E8-AC-ML2.5 requires allowed and blocked application control events to be centrally logged for monitoring and investigation | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0670 | ISM-0670 requires security-relevant events for Cross Domain Solutions (CDSs) to be centrally logged for monitoring | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1976 | ISM-1976 requires security-relevant events on Apple macOS systems to be centrally logged for monitoring | |
| ISM-1977 | ISM-1977 requires security-relevant events for Linux operating systems to be centrally logged | |
| ISM-1978 | E8-AC-ML2.5 requires organisations to centrally log allowed and blocked application control events | |
| ISM-1979 | ISM-1979 requires security-relevant events for server applications on non-internet-facing servers to be centrally logged | |
| handshake Supports (3) expand_less | ||
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| ISM-0955 | ISM-0955 requires application control to be implemented using specific rule types (hash, publisher certificate, or path rules) | |
| ISM-1983 | ISM-1983 requires event logs to be sent to a centralised logging facility as soon as possible after they occur | |
| extension Depends on (2) expand_less | ||
| ISM-0988 | E8-AC-ML2.5 requires central logging of allowed and blocked application control events to support monitoring and response | |
| ISM-1405 | E8-AC-ML2.5 requires allowed and blocked application control events to be centrally logged | |
| link Related (1) expand_less | ||
| ISM-1660 | ISM-1660 requires that both allowed and blocked application control events are centrally logged | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.