E8-AH-ML2.14 bolt ASD Essential Eight

Timely Analysis of Event Logs from Internet-Facing Servers

Regularly review event logs from internet-facing servers to spot security issues quickly.

Detective ML2 Essential EightUser application hardening logging incident detection

record_voice_over

Plain language

This control is about looking at the logs from your servers that face the internet, like a shop window facing the street. Regularly checking these logs helps you spot dodgy activity early, like someone trying to break in, so you can stop it before any serious damage is done.

01 — Overview

Framework

ASD Essential Eight

Control effect

Detective

E8 mitigation strategy

Application hardening

Classifications

N/A

Official last update

N/A

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2

Official control statement

Event logs from internet-facing servers are analyzed in a timely manner to detect cyber security events.

bolt ASD Essential Eight E8-AH-ML2.14

priority_high

Why it matters

Without timely analysis of event logs from internet-facing servers, intrusions may go unnoticed, enabling persistence, data theft, and disruption.

settings

Operational notes

Review internet-facing server event logs at least daily (within 24 hours) and alert on anomalies such as repeated failures, new admin accounts, or suspicious processes.

04 — Mappings

link

Cross-framework mappings

How E8-AH-ML2.14 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 8.15	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
Annex A 8.16	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
sync_alt Partially overlaps (1) expand_less
Annex A 5.28	E8-AH-ML2.14 requires timely analysis of internet-facing server event logs to detect cyber security events
handshake Supports (2) expand_less
Annex A 5.25	E8-AH-ML2.14 requires timely analysis of internet-facing server event logs to detect cyber security events
Annex A 5.26	E8-AH-ML2.14 requires timely analysis of internet-facing server logs to detect cyber security events

ASD ISM

Control	Notes	Details
layers Partially meets (1) expand_less
ISM-1228	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
sync_alt Partially overlaps (6) expand_less
ISM-1907	E8-AH-ML2.14 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events
ISM-1960	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1961	ISM-1961 requires timely analysis of event logs from non-internet-facing network devices to detect cyber security events
ISM-1963	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1986	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1987	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
handshake Supports (2) expand_less
ISM-0580	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
ISM-1624	ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging functionality
extension Depends on (3) expand_less
ISM-1978	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1983	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-2051	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
link Related (1) expand_less
ISM-1906	E8-AH-ML2.14 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.