Skip to content
arrow_back
E8-AC-ML3.5
search
E8-AC-ML3.5 bolt ASD Essential Eight

Workstation event logs are promptly analysed for security events

Quickly check workstation logs to find any security events.

Detective ML3 Essential EightApplication controlloggingaudit trailincident detection
record_voice_over

Plain language

Event logs are like a diary for your computers, recording everything that happens on them. By checking these logs quickly, we can spot any suspicious activity, like someone trying to break in. If we don't keep an eye on these logs, bad guys could sneak in and cause damage without anyone noticing.

Framework

ASD Essential Eight

Control effect

Detective

E8 mitigation strategy

Application control

Classifications

N/A

Official last update

N/A

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML3

Official control statement

Event logs from workstations are analysed in a timely manner to detect cyber security events.
bolt ASD Essential Eight E8-AC-ML3.5
priority_high

Why it matters

Neglecting timely workstation log analysis can leave breaches undetected, enabling persistence, lateral movement and privilege escalation.

settings

Operational notes

Centralise workstation event logs (e.g., to SIEM), alert on key events and review/triage within 24 hours with defined escalation.

build

Implementation tips

  • IT Team: Ensure event logging is turned on for all workstations by enabling logging features through the operating system settings.
  • System Administrator: Set up an automated system to collect and consolidate logs from all workstations daily, so nothing gets missed.
  • Security Officer: Review significant log entries at least once a week to identify any unusual patterns or entries that could indicate a security breach.
  • IT Team: Implement alerts for specific keywords or activities in the logs, such as login failures or unexpected software installations, to act promptly on potential threats.
fact_check

Audit / evidence tips

  • AskAre workstation event logs being reviewed regularly?
  • GoodEvidence shows logs are reviewed weekly, with documented responses to any incidents
  • AskHow are significant log events tracked and responded to?
  • GoodOrganisation has a procedure in place that documents actions taken for all flagged events
link

Cross-framework mappings

How E8-AC-ML3.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (2) expand_less
Annex A 8.15 E8-AC-ML3.5 requires workstation event logs to be analysed promptly to detect security events
Annex A 8.16 E8-AC-ML3.5 requires organisations to promptly analyse workstation event logs to detect cyber security events

ASD ISM

Control Notes Details
layers Partially meets (2) expand_less
ISM-1228 E8-AC-ML3.5 requires organisations to promptly analyse workstation event logs to detect cyber security events
ISM-1987 E8-AC-ML3.5 requires workstation event logs to be analysed promptly to detect cyber security events
handshake Supports (1) expand_less
ISM-1889 ISM-1889 requires that command line process creation events are centrally logged
extension Depends on (1) expand_less
ISM-2051 E8-AC-ML3.5 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls