Snowflake Audit Logs

Deprecation notice

Support for the audit endpoint and UI has been deprecated. Instead, pull audit logs from Kubernetes and push them to your SIEM.

Snowflake query audit logs is a feature that audits queries that users run natively in Snowflake and turns them into Immuta audit logs. Immuta uses the Snowflake QUERY_HISTORY and ACCESS_HISTORY tables and translates them into the audit logs that can be viewed and downloaded within the Immuta UI or using the Immuta API. Immuta audits the activity of Immuta users on Immuta data sources.

Requirements

Snowflake Enterprise Edition or higher
Snowflake integration with native query audit enabled
Snowflake tables registered as Immuta data sources
Snowflake users registered as Immuta users: Note that the users' Snowflake usernames must be mapped to Immuta. Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.

Best Practices: Store Audit Records

By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.

Audit Frequency

Immuta collects audit records at the frequency configured when enabling the integration, which is between 1 and 24 hours. The frequency is a global setting based on integration type, so organizations with multiple Snowflake integrations will have the same audit frequency for all of them. The more frequent the audit records are ingested, the more current the audit records; however, there could be performance and cost impacts from the frequent jobs.

To manually request native query audit ingestion, click Load Audit Events on the Immuta audit page.

Audit Messages

Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below. These audit records are stored with the recordType: nativeQuery.

Property Description Example

Property	Description	Example
DateTime	`integer` or `string` The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp.	`2504188066580` or `2017-08-31T14:01:15.607Z`
ProfileID	`integer` The profile ID of the user who made the query.	`1`
UserID	`string` The user ID of the user who made the query.	`jane.doe@immuta.com`
DataSourceID	`integer` The ID of the data source that was queried.	`12`
DataSourceName	`string` The name of the data source that was queried.	`Public Customer Data`
RecordType	`string` The type of record captured.	Native query audit records will always be `nativeQuery`.
Success	`boolean` If `true`, the query was successful.	`true` or `false`
Component	`string` The Immuta component that generated the record.	`nativeSql`
AccessType	`string` Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs.	`query`
Query	`string` The query that was run in the integration.	`select * from IMMUTA.PUBLIC.CUSTOMER;`
Handler	`string` The integration type.	`Snowflake`
StartTime	`timestamp` The date and time the query started in UTC.	`2021-09-20 17:20:00.39100000 +0000`
EndTime	`timestamp` The date and time the query ended in UTC.	`2021-09-20 17:20:02.42100000 +0000`
Duration	`integer` The time the query took in milliseconds.	`2030`
NativeObject	`string` The fully qualified object that was queried.	`IMMUTA.PUBLIC.CUSTOMER`
NativeObjectType	`string` The type of the object that was queried.	`view` or `table`
Host	`string` The host that the integration is connected to.	`your-hostname.snowflake.computing.com`
Database	`string` The database that the native object resides in.	`IMMUTA`
SQLUser	`string` The integration username of the user who made the query.	`jane.doe@immuta.com`

DateTime

integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp.

2504188066580 or 2017-08-31T14:01:15.607Z

ProfileID

integer The profile ID of the user who made the query.

1

UserID

string The user ID of the user who made the query.

jane.doe@immuta.com

DataSourceID

integer The ID of the data source that was queried.

12

DataSourceName

string The name of the data source that was queried.

Public Customer Data

RecordType

string The type of record captured.

Native query audit records will always be nativeQuery.

Success

boolean If true, the query was successful.

true or false

Component

string The Immuta component that generated the record.

nativeSql

AccessType

string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs.

query

Query

string The query that was run in the integration.

select * from IMMUTA.PUBLIC.CUSTOMER;

Handler

string The integration type.

Snowflake

StartTime

timestamp The date and time the query started in UTC.

2021-09-20 17:20:00.39100000 +0000

EndTime

timestamp The date and time the query ended in UTC.

2021-09-20 17:20:02.42100000 +0000

Duration

integer The time the query took in milliseconds.

2030

NativeObject

string The fully qualified object that was queried.

IMMUTA.PUBLIC.CUSTOMER

NativeObjectType

string The type of the object that was queried.

view or table

Host

string The host that the integration is connected to.

your-hostname.snowflake.computing.com

Database

string The database that the native object resides in.

IMMUTA

SQLUser

string The integration username of the user who made the query.

jane.doe@immuta.com

PreviousQuery Audit Logs NextDatabricks Audit Logs