Starburst (Trino) Audit Logs

Deprecation notice

Support for the audit endpoint and UI has been deprecated. Instead, pull audit logs from Kubernetes and push them to your SIEM.

With the Event Listener enabled, users can view audit records for queries made in Starburst against Immuta data sources on the Audit page. Immuta audits the activity of Immuta users on Immuta data sources.

Requirements

Best Practices: Store Audit Records

By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.

Audit Message

Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below. These audit records are stored with the recordType: prestoQuery.

Property
Description
Example

ID

string

b0000000-1234-abcd-11111111111111

DateTime

integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp.

2504188066580 or 2017-08-31T14:01:15.607Z

Month

integer

1455

ProfileID

integer The profile ID of the user who made the query.

1

UserID

string The user ID of the user who made the query.

jane.doe@immuta.com

DataSourceID

integer The ID of the data source that was queried.

12

DataSourceName

string The name of the data source that was queried.

Public Customer Data

ProjectID

integer The ID of the project the data source is in.

18

ProjectName

string The name of the project the data source is in.

Project 1

RecordType

string The type of record captured.

Trino query audit records will always be prestoQuery.

Success

boolean If true, the query was successful.

true or false

Component

string The Immuta component that generated the record.

nativeSql

AccessType

string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs.

query

Query

string The query that was run in the integration.

select * from immuta.public. \"case\" limit 50

Extra

array Information on the query, including viewSql, direct, and maskedColumns.

See example audit record below.

DataSourceSchemaName

string

The name of the schema that the data source that was queried came from.

DataSourceTableName

string The name of the table of the data source that was queried.

case

sqlUser

string The Starburst (Trino) username of the user who made the query.

kris

Example Audit Record

{
"id": "b0d49f2a-4a34-4d50-b36e-fd9b619eed32",
"dateTime": "1617997828777",
"month": 1455,
"profileId": 1,
"userId": "kris@immuta.com",
"dataSourceId": 41,
"dataSourceName": "Crime Data Delta",
"projectId": 17,
"count": 1,
"recordType": "prestoQuery",
"success": true,
"component": "nativeSql",
"accessType": "query",
"query": "select * from immuta.public. \"case\" limit 50",
"extra": {
    "direct": true,
    "maskedColumns": {
        "ssn": "Hashing",
        "dob": "Generalization",
        "country": "Constant"
    }
},
"dataSourceSchemaName": "public",
"dataSourceTableName": "default_crime_data_delta",
"sqlUser": "kris",
"createdAt": "2021-04-09T19:50:28.787Z",
"updatedAt": "2021-04-09T19:50:28.787Z"
}

Last updated

Other versions

SaaS2024.32024.2

Copyright © 2014-2024 Immuta Inc. All rights reserved.