Event logs from internet-facing servers are analysed to detect cybersecurity events
Review logs from internet servers quickly to spot any security issues.
Plain language
This control is about regularly reviewing the logs from servers that are accessible from the internet to catch any signs of cyber attacks quickly. By doing this, organisations can spot suspicious activities early and respond before they cause serious harm, like stealing sensitive data or crashing their website.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
If logs from internet-facing servers aren’t analysed promptly, intrusions can go unnoticed longer, increasing data theft and service disruption risk.
Operational notes
Centralise internet-facing server logs in a SIEM, set anomaly alerts, and review/investigate critical events daily to ensure timely detection.
Implementation tips
- The IT team should ensure that all internet-facing servers are configured to record detailed event logs. This can be done by setting up the server’s logging features to capture key information such as login attempts and system alerts.
- System administrators should set up automated alert systems to notify them of unusual activities. This involves using software that analyses the logs in real-time and sends alerts when suspicious patterns are detected.
- Security officers should regularly review these alerts and investigate any flagged events. They can do this by checking the logs against known signs of data breaches, such as repeated failed login attempts or irregular access times.
- The IT team should hold periodic training sessions for staff handling logs to ensure they know how to interpret them effectively. This can be done through workshops or onboarding programs for new staff.
Audit / evidence tips
-
AskWhat processes are in place to analyse event logs from internet-facing servers?
-
Askto see records of log review activities, including schedules and findings
-
GoodA detailed schedule of regular log reviews with documented summaries of findings and actions taken in response to flagged events
-
AskHow are unusual events identified and responded to?
-
GoodLogs show specific instances where alerts were generated, reviewed, and followed by appropriate responses such as adjusting security settings or conducting a deeper investigation
Cross-framework mappings
How E8-AC-ML2.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | E8-AC-ML2.7 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| Annex A 8.16 | E8-AC-ML2.7 requires timely analysis of internet-facing server event logs to detect cyber security events | |
| handshake Supports (1) expand_less | ||
| Annex A 5.25 | E8-AC-ML2.7 requires timely analysis of internet-facing server event logs to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1960 | ISM-1960 requires event logs from internet-facing network devices to be analysed in a timely manner to detect cyber security events | |
| ISM-1986 | E8-AC-ML2.7 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| handshake Supports (2) expand_less | ||
| ISM-0120 | ISM-0120 requires cyber security personnel to have the tools and data sources needed to monitor for indicators of compromise | |
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| extension Depends on (2) expand_less | ||
| ISM-1910 | ISM-1910 requires centrally logging internet-accessible network API calls that modify data or access non-public data | |
| ISM-1978 | E8-AC-ML2.7 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| link Related (1) expand_less | ||
| ISM-1906 | E8-AC-ML2.7 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.