10.4.1.1 Automated mechanisms are used to perform audit log reviews.

Defined Approach Requirements

10.4.1.1 Automated mechanisms are used to perform audit log reviews.

Customized Approach Objective

Potentially suspicious or anomalous activities are identified via a repeatable and consistent mechanism.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

10.4.1.1 Examine log review mechanisms and interview personnel to verify that automated mechanisms are used to perform log reviews.

Purpose

Manual log reviews are difficult to perform, even for one or two systems, due to the amount of log data that is generated. However, using log harvesting, parsing, and alerting tools, centralized log management systems, event log analyzers, and security information and event management (SIEM) solutions can help facilitate the process by identifying log events that need to be reviewed.

Good Practice

Establishing a baseline of normal audit activity patterns is critical to the effectiveness of an automated log review mechanism. The analysis of new audit activity against the established baseline can significantly improve the identification of suspicious or anomalous activities.

The entity should keep logging tools aligned with any changes in their environment by periodically reviewing tool settings and updating settings to reflect any changes.

Further Information

Refer to the Information Supplement: Effective Daily Log Monitoring for additional guidance.