GRCWatch
Sign inStart free trial

PCI DSS 10.4.3: Address Log Review Exceptions and Anomalies

Detecting anomalies in system logs is only half the battle—responding to them is what separates compliant organizations from those at risk. PCI DSS 10.4.3 requires you to investigate and address every exception flagged during log review, ensuring no suspicious activity goes unexplained. This control closes the gap between detection and remediation.

What this means

PCI DSS 10.4.3 mandates that your organization must have a documented process to investigate, document, and resolve all exceptions and anomalies discovered during system log reviews. This includes unauthorized access attempts, unusual data transfers, configuration changes, failed authentication events, and any deviations from baseline activity patterns. Simply identifying these events isn't enough—you must determine root cause, take corrective action, and maintain audit trails of your investigation.

How to comply

  1. 1.Establish a log review schedule (daily minimum for critical systems) and document findings in a centralized log management system
  2. 2.Define clear criteria for what constitutes an exception or anomaly (failed logins, privilege escalations, after-hours access, etc.)
  3. 3.Create a formal investigation workflow that assigns responsibility, sets investigation timelines, and documents findings
  4. 4.Investigate each exception within a defined timeframe (typically 24-48 hours) to determine legitimacy and root cause
  5. 5.Document investigation results including who reviewed the logs, what was found, actions taken, and resolution date
  6. 6.Track and monitor repeat exceptions to identify patterns and systemic issues requiring policy or technical changes
  7. 7.Maintain audit evidence of exception handling for at least 1 year (preferably 3 years) for auditor review
  8. 8.Train staff on what constitutes an anomaly and the investigation process they must follow

Evidence auditors look for

  • Log review exception tracking spreadsheet or database showing date, exception type, investigator, findings, and resolution
  • Investigation reports documenting analysis of failed authentication attempts or privilege escalation events
  • Change management records showing corrective actions taken in response to identified anomalies
  • Email trails or ticket system entries showing assignment and completion of exception investigations
  • Baseline activity reports showing normal vs. anomalous behavior patterns
  • Escalation records for critical exceptions handled through incident response procedures
  • Staff training records confirming log review and exception handling training completion

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically correlates log anomalies across your environment, prioritizes exceptions by severity, and tracks investigation status in a single dashboard—eliminating spreadsheets and ensuring no exception falls through the cracks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 10.2 - Implement automated audit trailsPCI DSS 10.3 - Protect audit trail historyPCI DSS 10.4.1 - Review user access logsPCI DSS 10.4.2 - Review privileged access logsPCI DSS 10.5 - Promptly test security systemsPCI DSS 10.7 - Retain audit trail history