Workstation event logs are promptly analysed for security events
Quickly check workstation logs to find any security events.
Plain language
Event logs are like a diary for your computers, recording everything that happens on them. By checking these logs quickly, we can spot any suspicious activity, like someone trying to break in. If we don't keep an eye on these logs, bad guys could sneak in and cause damage without anyone noticing.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Event logs from workstations are analysed in a timely manner to detect cyber security events.
Why it matters
Neglecting timely workstation log analysis can leave breaches undetected, enabling persistence, lateral movement and privilege escalation.
Operational notes
Centralise workstation event logs (e.g., to SIEM), alert on key events and review/triage within 24 hours with defined escalation.
Implementation tips
- IT Team: Ensure event logging is turned on for all workstations by enabling logging features through the operating system settings.
- System Administrator: Set up an automated system to collect and consolidate logs from all workstations daily, so nothing gets missed.
- Security Officer: Review significant log entries at least once a week to identify any unusual patterns or entries that could indicate a security breach.
- IT Team: Implement alerts for specific keywords or activities in the logs, such as login failures or unexpected software installations, to act promptly on potential threats.
Audit / evidence tips
-
AskAre workstation event logs being reviewed regularly?
-
GoodEvidence shows logs are reviewed weekly, with documented responses to any incidents
-
AskHow are significant log events tracked and responded to?
-
GoodOrganisation has a procedure in place that documents actions taken for all flagged events
Cross-framework mappings
How E8-AC-ML3.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | E8-AC-ML3.5 requires workstation event logs to be analysed promptly to detect security events | |
| Annex A 8.16 | E8-AC-ML3.5 requires organisations to promptly analyse workstation event logs to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-1228 | E8-AC-ML3.5 requires organisations to promptly analyse workstation event logs to detect cyber security events | |
| ISM-1987 | E8-AC-ML3.5 requires workstation event logs to be analysed promptly to detect cyber security events | |
| handshake Supports (1) expand_less | ||
| ISM-1889 | ISM-1889 requires that command line process creation events are centrally logged | |
| extension Depends on (1) expand_less | ||
| ISM-2051 | E8-AC-ML3.5 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.