10.2.2 Audit logs record the following details for each auditable event:
Defined Approach Requirements
10.2.2 Audit logs record the following details for each auditable event:
- User identification.
- Type of event.
- Date and time.
- Success and failure indication.
- Origination of event.
- Identity or name of affected data, system component, resource, or service (for example, name and protocol).
Customized Approach Objective
Sufficient data to be able to identify successful and failed attempts and who, what, when, where, and how for each event listed in requirement 10.2.1 are captured.
Defined Approach Testing Procedures
10.2.2 Interview personnel and examine audit log configurations and log data to verify that all elements specified in this requirement are included in log entries for each auditable event (from 10.2.1.1 through 10.2.1.7).
Purpose
By recording these details for the auditable events at 10.2.1.1 through 10.2.1.7, a potential compromise can be quickly identified, with sufficient detail to facilitate following up on suspicious activities.
purpose
Review logs of all system components to identify anomalies or suspicious activity.
compliance strategies
- Daily log review
- Automated log analysis tools
typical policies
- Log Review Procedures
common pitfalls
- Missed daily reviews
- Overreliance on manual review
type
Process Control
difficulty
High
key risks
- Delayed detection of incidents
recommendations
- Automate log review and alerting
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy