Command line process creation logging is centralized
Log all command line processes in a central location for monitoring.
Plain language
This control is all about making sure that whenever something runs on a computer using a command line, a record of that action is saved in a central place. This is important because if something harmful were to happen, like a cyberattack or a virus, having these records helps us understand what's going on and how to fix it quickly.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Command line process creation events are centrally logged.
Why it matters
Without centralised logging of command line process creation events, attacker-launched tools and scripts may not be detected or investigated in time.
Operational notes
Enable command line process creation logging on endpoints/servers and forward events to a central SIEM; validate coverage, retention and integrity (e.g. hashing) regularly.
Implementation tips
- The IT team must ensure that all computers are set to log command line events. This can be done by configuring the system to automatically send these logs to a central logging server.
- System administrators should use group policy settings to enable command line process creation logging on Windows machines, making sure the settings apply to all relevant computers across the organisation.
- The security officer should verify that the central logging system is capable of receiving logs from all networked computers by testing log transmission and reception regularly.
- The IT team should implement automated alerts for unusual command line activities to promptly identify potential security incidents. This can be done by setting up monitoring rules in the logging system.
- Regular training sessions for the IT team are essential, focusing on identifying unusual patterns in the logs that could indicate a security threat. This helps ensure the logs are effectively used for monitoring purposes.
Audit / evidence tips
-
AskIs command line process creation logging enabled on all computers?
-
GoodThe group policy is set to log all command line process creation events, and these logs are being sent to the central logging system
-
AskHow are the logs being reviewed for unusual activity?
-
GoodLogs are automatically analyzed, and the system sends alerts on detecting unusual activities, verified by recent test alerts for suspicious patterns
Cross-framework mappings
How E8-AH-ML2.12 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | E8-AH-ML2.12 requires that command line process creation events are centrally logged | |
| handshake Supports (2) expand_less | ||
| Annex A 5.28 | E8-AH-ML2.12 requires centralised logging of command line process creation events, which can form an evidence trail of execution on systems | |
| Annex A 8.16 | E8-AH-ML2.12 requires command line process creation events to be centrally logged, providing visibility of execution behaviour across end... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-0670 | ISM-0670 requires central logging of security-relevant events for CDSs | |
| ISM-1405 | E8-AH-ML2.12 requires centralised logging specifically for command line process creation events | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1607 | E8-AH-ML2.12 requires centralised logging of command line process creation events on hosts | |
| ISM-1623 | E8-AH-ML2.12 requires that command line process creation events are centrally logged | |
| handshake Supports (9) expand_less | ||
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| ISM-0582 | E8-AH-ML2.12 requires centralised logging of command line process creation events to improve visibility of execution behaviour | |
| ISM-0585 | E8-AH-ML2.12 requires central logging of command line process creation events | |
| ISM-1228 | E8-AH-ML2.12 requires centralised logging of command line process creation events so that execution activity is available for monitoring | |
| ISM-1907 | E8-AH-ML2.12 requires command line process creation events to be centrally logged, creating a reliable log source for server monitoring | |
| ISM-1976 | E8-AH-ML2.12 requires centralised logging of command line process creation to detect suspicious execution | |
| ISM-1977 | E8-AH-ML2.12 requires command line process creation events to be centrally logged | |
| ISM-1986 | E8-AH-ML2.12 requires centralised logging of command line process creation events, which are commonly critical for detecting attacker tra... | |
| ISM-2051 | E8-AH-ML2.12 requires organisations to centrally log command line process creation events | |
| extension Depends on (1) expand_less | ||
| ISM-1983 | E8-AH-ML2.12 requires centralised logging of command line process creation events, which is most valuable when logs arrive centrally quic... | |
| link Related (1) expand_less | ||
| ISM-1889 | E8-AH-ML2.12 requires organisations to centrally log command line process creation events for monitoring and detection | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.