Databricks Audit Logs
Deprecation notice
Support for the audit endpoint and UI has been deprecated. Instead, pull audit logs from Kubernetes and push them to your SIEM.
In addition to the executed Spark plan, the tables, and the tables' underlying paths for every audited Spark job, Immuta captures the code or query that triggers the Spark plan. Immuta audits the activity of Immuta users on Immuta data sources.
Requirements
Databricks users registered as Immuta users: Note that the users' Databricks usernames must be mapped to Immuta. Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Best Practices: Store Audit Records
By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.
Audit Messages
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below. These audit records are stored with the recordType
: spark
.
Property | Description | Example |
---|---|---|
ID |
|
|
DateTime |
|
|
Month |
|
|
ProfileID |
|
|
UserID |
|
|
DataSourceID |
|
|
DataSourceName |
|
|
ProjectID |
|
|
ProjectName |
|
|
PurposeID |
|
|
RecordType |
| Databricks query audit records will always be |
Success |
|
|
Component |
|
|
AccessType |
|
|
Query |
| See the example below |
actionStatus |
|
|
actionStatusReason |
| |
policySet |
| |
entitlements |
|
Example queryText
Below is an example of the queryText
, which contains the full notebook cell (since the query was the result of a notebook). If the query had been from a JDBC connection, the queryText
would contain the full SQL query.
This notebook cell had multiple audit records associated with it, but the example audit record in the tab to the right corresponds to the filteredDf.write.saveAsTable('{}.audit_cell'.format(testDb))
line.
Example Audit Record
This example audit record contains two fields under extra
:
queryText
: ThequeryText
will contain either the full notebook cell (when the query is the result of a notebook) or the full SQL query (when it is a query from a JDBC connection).queryLanguage
: ThequeryLanguage
corresponds to the programming language used: SQL, Python, Scala, or R. Audited JDBC queries will indicate that it came from JDBC here.
Enriched Databricks Audit Logs
Beyond raw audit events (such as “John Doe queried Table X in Databricks"), the Databricks audit records include the policy information enforced during the query execution, even if a query was denied.
Queries will be denied if at least one of the conditions below is true:
User does not meet policy conditions.
User is not subscribed to the data source.
Data source is not in the user's current project.
Data source is in the user's current project, but the user is not subscribed to the data source.
Data source is not registered in Immuta.
Query Denied Records
Access denied audit records include details about the user (accessControls.entitlements
) and the Subscription policy (accessControls.policySet
) that blocked access to the table.
User Entitlements
The user's entitlements
represent the state at the time of the query. This includes the following fields:
project
: The user's current project.attributes
: The user's attributes.groups
: The user's groups.impersonatedUsers
: The user that the current user is impersonating.
Policy Information
The policySet
includes the following fields:
subscriptionPolicyType
: The type of Subscription policy (such asMANUAL
,ADVANCED
, orENTITLEMENTS
).type
: Indicates whether the policy is aSUBSCRIPTION
orDATA
policy. Query denied records will always be a Subscription policytype
.ruleAppliedForUser
: Indicates whether or not the policy was applied for the user. Iffalse
, the user was an exception to the policy.rationale
: The policy rationale written by the policy creator.global
: Indicates whether or not the policy was a Global policy. Whenfalse
, the policy is Local.mergedPolicies
: Shows the policy information for each of the merged Global Subscription policies.
Query Denied Audit Log Excerpt
Query Scenario
Before examining the audit log excerpt below, review the user's entitlements and the policy on the patient_transactions
data source.
User Entitlements
groups: none
attributes:
SpecialAccess.Addresses
,OfficeLocation.Maryland
current project: Medical Claims
Data Source Policy
Subscription Policy: Allow individual users you select to access the data source.
The Databricks user described above attempts to query a patient_transactions
table, which has not been added to a project. The user's query is denied, and the audit logs reveal the policy details. Focus specifically on the entitlements
, policySet
, actionStatus
, and actionStatusReason
sections below:
Although the user was subscribed to the data source, the project
field shows that this user is currently working under the Medical Claims
project, and the actionStatusReason
indicates that the data source has not been added to that project. Consequently, the actionStatus
field shows the query was UNAUTHORIZED
.
Successful Query Records
User Entitlements
The user's entitlements
includes the following fields:
project
: The user's current project.attributes
: The user's attributes.groups
: The user's groups.impersonatedUsers
(when relevant): The username the current user is impersonating.
Policy Information
For a successful query, policySet
includes all policies applied to the data source:
subscriptionPolicyType
: The type of Subscription policy (such asMANUAL
,ADVANCED
, orENTITLEMENTS
).type
: Indicates whether the policy is aSUBSCRIPTION
orDATA
policy.ruleAppliedForUser
: Indicates whether or not a policy was applied for the user. Iffalse
, the user was an exception to the policy.rationale
: Provides the rationale given for the policy by the policy creator.global
: Indicates whether or not the policy was a Global policy. Whenfalse
, the policy is Local.mergedPolicies
: Shows the policy information for each of the merged Global Subscription policies.
Successful Query Excerpt
Query Scenario
Before examining the audit log excerpt below, review the user's entitlements and the policy on the patients
data source.
User Entitlements
groups: none
attributes:
SpecialAccess.Addresses
,OfficeLocation.Maryland
current project: None
Data Source Policies
Subscription Policy: Allow individual users you select to access the data source.
Data Policy: Mask by making null the value in the column(s)
lastname
for everyone.Data Policy: Mask by hashing the value in the column(s)
address
for everyone except users who possess the attributeSpecialAccess.Addresses
.
The Databricks user described above attempts to query a patients
table. The user's query is successful, and the audit logs reveal the policy details. Focus specifically on the entitlements
, policySet
, and actionStatus
sections below:
This user is subscribed to the data source and the actionStatus
shows their query was a SUCCESS
.
The first masking policy in policySet
masks the field lastname
to NULL for everyone, as no exceptions
are listed. Furthermore, the ruleAppliedForUser
field is true
, indicating that the querying user sees NULL
values for this column.
However, the ruleAppliedForUser
for the second masking policy in the policySet
is false
, indicating that the querying user can see the values in the address
column in the clear because one of their entitlements is listed under exceptions
to the policy: SpecialAccess.Addresses
.
Global Merged Subscription Policies Excerpt
Query Scenario
Before examining the audit log excerpt below, review the user's entitlements and the policy on the maryland_employees
data source.
User Entitlements
groups: none
attributes:
SpecialAccess.Addresses
,OfficeLocation.Maryland
current project: None
Data Source Policy
Merged Subscription Policy: Allow users to subscribe if they have the attribute
OfficeLocation.Maryland
or are a member of the groupHuman Resources
.
The Databricks user described above attempts to query the maryland_employees
table. The user's query is successful, and the audit logs reveal the policy details. Focus specifically on the entitlements
, mergedPolicies
, and actionStatus
sections below:
This user is subscribed to the data source and the actionStatus
shows their query was a SUCCESS
.
The mergedPolicies
section illustrates both Global policies that were merged and applied to the data source. Although the querying user is not a member of the group Human Resources
, the ruleAppliedForUser
field is still true
and they are subscribed to the data source because they met one requirement of the subscription policy: they possess the attribute OfficeLocation.Maryland
.