Centrally log PowerShell module, script block, and transcription events
Ensure logging of PowerShell activities is centralized for monitoring.
Plain language
Centrally logging PowerShell activities means keeping a record of everything that's done using PowerShell, which is a powerful tool used for managing computers. This is important because if someone with bad intentions uses PowerShell to cause harm, like installing harmful software or stealing information, having these logs helps us catch them and understand what they did.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
PowerShell module logging, script block logging and transcription events are centrally logged.
Why it matters
Without centralised PowerShell logging, malicious script blocks/modules may run without detection, delaying investigation and increasing risk of compromise or data theft.
Operational notes
Centrally forward PowerShell module, script block and transcription logs; alert on encoded commands, suspicious download/exec and bypass flags; routinely review for anomalies.
Implementation tips
- IT team should enable PowerShell logging by configuring Group Policy settings. This can be done by setting up module, script block, and transcription logging in the Group Policy Management Console.
- System administrator should ensure that logs are sent to a centralised logging system. They can do this by configuring the event logs to be forwarded to a central server where they can be monitored.
- Security officer should regularly review the logs for suspicious activity. They should use a log analysis tool to look for unusual patterns or signs of unauthorised access.
- System administrator should ensure the logging settings are applied consistently across all computers. This can be checked by running a compliance report using system management tools.
Audit / evidence tips
-
AskAre PowerShell logging settings configured via Group Policy?
GoodGroup Policy settings show that module, script block, and transcription logging are enabled for all applicable computers
-
AskIs there a centralised logging system in place for PowerShell activity?
GoodDocumentation confirms logs are forwarded to a central logging server and regularly reviewed
-
AskHow often are the PowerShell logs reviewed and analysed?
GoodA documented routine exists showing regular log reviews, with analysis reports highlighting any irregularities
Cross-framework mappings
How E8-AH-ML2.11 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | E8-AH-ML2.11 requires organisations to centrally log specific PowerShell telemetry (module logging, script block logging, and transcription) | |
| extension Depends on (1) expand_less | ||
| Annex A 8.17 | E8-AH-ML2.11 requires that PowerShell module logging, script block logging and transcription events are centrally logged for monitoring a... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0582 | ISM-0582 mandates central logging of security-relevant events on Microsoft Windows | |
| ISM-1622 | ISM-1622 requires PowerShell to be configured to use Constrained Language Mode to restrict what scripts can do | |
| ISM-1624 | ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging to prevent tampering and unauthorised disclo... | |
| ISM-1889 | ISM-1889 requires central logging of command line process creation events to provide visibility of command shell activity | |
| ISM-1989 | ISM-1989 requires event logs to be retained according to AFDA Express minimum retention requirements | |
| handshake Supports (4) expand_less | ||
| ISM-0120 | ISM-0120 requires cyber security personnel to have access to sufficient data sources and tools to monitor systems for indicators of compr... | |
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| ISM-1621 | ISM-1621 requires organisations to disable or remove Windows PowerShell 2.0 to remove an older execution environment that can evade moder... | |
| ISM-1983 | ISM-1983 requires event logs to be forwarded to a centralised logging facility as soon as possible after they occur | |
| extension Depends on (2) expand_less | ||
| ISM-0988 | E8-AH-ML2.11 requires central logging of detailed PowerShell execution artefacts so they can be monitored and investigated | |
| ISM-1405 | E8-AH-ML2.11 requires PowerShell module, script block, and transcription events to be centrally logged | |
| link Related (1) expand_less | ||
| ISM-1623 | ISM-1623 requires that PowerShell module logging, script block logging and transcription events are centrally logged for monitoring | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.