Skip to content
arrow_back
E8-AC-ML2.7
search
E8-AC-ML2.7 bolt ASD Essential Eight

Event logs from internet-facing servers are analysed to detect cybersecurity events

Review logs from internet servers quickly to spot any security issues.

Detective ML2 Essential EightApplication controlloggingincident detection
record_voice_over

Plain language

This control is about regularly reviewing the logs from servers that are accessible from the internet to catch any signs of cyber attacks quickly. By doing this, organisations can spot suspicious activities early and respond before they cause serious harm, like stealing sensitive data or crashing their website.

Framework

ASD Essential Eight

Control effect

Detective

E8 mitigation strategy

Application control

Classifications

N/A

Official last update

N/A

Control Stack last updated

19 May 2026

E8 maturity levels

ML2

Official control statement

Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
bolt ASD Essential Eight E8-AC-ML2.7
priority_high

Why it matters

If logs from internet-facing servers aren’t analysed promptly, intrusions can go unnoticed longer, increasing data theft and service disruption risk.

settings

Operational notes

Centralise internet-facing server logs in a SIEM, set anomaly alerts, and review/investigate critical events daily to ensure timely detection.

build

Implementation tips

  • The IT team should ensure that all internet-facing servers are configured to record detailed event logs. This can be done by setting up the server’s logging features to capture key information such as login attempts and system alerts.
  • System administrators should set up automated alert systems to notify them of unusual activities. This involves using software that analyses the logs in real-time and sends alerts when suspicious patterns are detected.
  • Security officers should regularly review these alerts and investigate any flagged events. They can do this by checking the logs against known signs of data breaches, such as repeated failed login attempts or irregular access times.
  • The IT team should hold periodic training sessions for staff handling logs to ensure they know how to interpret them effectively. This can be done through workshops or onboarding programs for new staff.
fact_check

Audit / evidence tips

  • AskWhat processes are in place to analyse event logs from internet-facing servers?
  • AskTo see records of log review activities, including schedules and findings
  • GoodA detailed schedule of regular log reviews with documented summaries of findings and actions taken in response to flagged events
  • AskHow are unusual events identified and responded to?
  • GoodLogs show specific instances where alerts were generated, reviewed, and followed by appropriate responses such as adjusting security settings or conducting a deeper investigation
link

Cross-framework mappings

How E8-AC-ML2.7 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (2) expand_less
Annex A 8.15 E8-AC-ML2.7 requires timely analysis of event logs from internet-facing servers to detect cyber security events
Annex A 8.16 E8-AC-ML2.7 requires timely analysis of internet-facing server event logs to detect cyber security events
handshake Supports (1) expand_less
Annex A 5.25 E8-AC-ML2.7 requires timely analysis of internet-facing server event logs to detect cyber security events

ASD ISM

Control Notes Details
sync_alt Partially overlaps (2) expand_less
ISM-1960 ISM-1960 requires event logs from internet-facing network devices to be analysed in a timely manner to detect cyber security events
ISM-1986 E8-AC-ML2.7 requires timely analysis of event logs from internet-facing servers to detect cyber security events
handshake Supports (2) expand_less
ISM-0120 ISM-0120 requires cyber security personnel to have the tools and data sources needed to monitor for indicators of compromise
ISM-0580 ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
extension Depends on (2) expand_less
ISM-1910 ISM-1910 requires centrally logging internet-accessible network API calls that modify data or access non-public data
ISM-1978 E8-AC-ML2.7 requires timely analysis of event logs from internet-facing servers to detect cyber security events
link Related (1) expand_less
ISM-1906 E8-AC-ML2.7 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls