Skip to content
Control Stack logo Control Stack
ISM-1830 ASD Information Security Manual (ISM)

Central Logging for Microsoft AD Server Activities

Log important actions on Microsoft AD servers in a central location for better monitoring.

Detective Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Logging and monitoringASD Information Security ManualGovernance

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Detective

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Services
Official control statement
Security-relevant events for Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers are centrally logged.

Source: ASD Information Security Manual (ISM)

Plain language

This control means that actions taken on Microsoft Active Directory servers should be recorded in a central spot. This is important because if something goes wrong, like a security breach, you want to quickly find out what happened and who did what, so you can fix it and prevent it from happening again.

Why it matters

Without central logging, AD DS/CS/FS and Entra Connect security events may be missed, delaying detection, response and recovery.

Operational notes

Configure domain controllers, AD CS/FS and Entra Connect to forward security-relevant events to a central log store; review alerts regularly.

Implementation tips

  • IT team should set up a central logging system: They need to ensure that all actions from Active Directory servers are sent to a centralised location. This can be done by using built-in tools within Windows to send logs to a chosen server where they are stored and monitored.
  • System owners should regularly review logs: Schedule a weekly check of these logs to spot any unusual activities. They can use simple reporting tools to pull out logs from the central system and examine them for signs of trouble.
  • Managers should ensure their team is trained to understand logs: Provide basic training sessions for staff responsible for reviewing these logs. Training should cover how to read the logs for signs of security events and what actions to take if something suspicious is found.
  • IT administrators should implement automated alerts: Set up alerts to notify the team when specific suspicious activities occur. This can be set by configuring thresholds or patterns that once matched, trigger an email or message alert to administrators.
  • System owners should create a log retention policy: Decide how long logs need to be kept based on your organisation’s needs and legal requirements. This involves setting configurations in your central logging system to automatically delete older logs after this period.

Audit / evidence tips

  • Ask: the logging configuration documentation: Request the document that details how logging is set up for Active Directory servers

    Good: a document with step-by-step setup instructions and the location of the central log repository

  • Ask: recent log review reports

    Good: a report showing regular log checks, dates of review, and actions taken if any issues were found

  • Ask: the training materials used for log review training: Request slides or notes from sessions given to staff

    Good: materials outlining log interpretation skills and a schedule of past sessions

  • Ask: alert configuration settings: Request the settings that define how alerts are triggered from logs

    Good: a list of configured alerts with explanations of why they are set and how they notify people

  • Ask: the log retention policy document: Request information on how long logs are kept

    Good: a clear policy document showing retention timelines and methods for secure deletion of old logs

Cross-framework mappings

How ISM-1830 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.15 ISM-1830 requires central logging of security-relevant events specifically for Microsoft AD DS, AD CS, AD FS and Entra Connect servers
Supports (1)
Annex A 8.16 ISM-1830 requires that security-relevant events on Microsoft AD-related servers are centrally logged

E8

Control Notes Details
Partially meets (1)
E8-RA-ML2.6 ISM-1830 requires security-relevant events for Microsoft AD DS domain controllers, AD CS CA servers, AD FS servers and Microsoft Entra Co...
Partially overlaps (1)
E8-MF-ML2.7 ISM-1830 requires security-relevant events for Microsoft AD DS, AD CS, AD FS and Entra Connect servers to be centrally logged
Supports (1)
E8-AH-ML2.15 ISM-1830 requires central logging of security-relevant events from Microsoft AD DS, AD CS, AD FS and Entra Connect servers

Mapping detail

Mapping

Direction

Controls