1 of 1

Search Audit Logs

Support for the audit endpoint and UI has been deprecated. Instead, pull audit logs from Kubernetes and push them to your SIEM.

This page describes the audit endpoint API. The audit API allows users to programmatically search for audit records in Immuta.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Workflow

Search all audit records.
Retrieve a specific audit record.
Search for recent activities using the API key.
Search for queries for a specific data source.

Search for audit records

GET /audit

Search for audit records.

Query parameters

Attribute

Description

Required

Response parameters

Request example

The following request searches for all audit records.

curl \
    --request GET \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer dea464c07bd07300095caa8" \
    https://your-immuta-url.com/audit?size=2&sortField=dateTime&sortOrder=desc

Response example

{
  "hits": [
    {
      "dateTime": "1632756753272",
      "dataSourceName": null,
      "projectName": null,
      "recordType": "auditQuery",
      "blobId": null,
      "userId": "first.last@immuta.com",
      "profileId": 2,
      "purposeIds": null,
      "success": true,
      "failureReason": null,
      "id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
      "fingerprintVersionName": null,
      "email": "first.last@immuta.com"
    },
    {
      "dateTime": "1632755783628",
      "dataSourceName": null,
      "projectName": null,
      "recordType": "authenticate",
      "blobId": null,
      "userId": "first.last@immuta.com",
      "profileId": 2,
      "purposeIds": null,
      "success": true,
      "failureReason": null,
      "id": "d143719b-6af9-4af3-aa99-8055be40e877",
      "fingerprintVersionName": null,
      "email": "first.last@immuta.com"
    }
  ],
}

Retrieve a specific audit record

GET /audit/{recordId}

Retrieve a specific audit record.

Query parameters

Response parameters

Request example

The following request retrieves a specific audit record.

curl \
    --request GET \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer dea464c07bd07300095caa8" \
    https://your-immuta-url.com/audit/480d9d3f-4128-445d-8eec-3cccb34f9935

Response Example

{
  "id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
  "dateTime": "1632756753272",
  "month": 1460,
  "profileId": 2,
  "userId": "first.last@immuta.com",
  "dataSourceId": null,
  "dataSourceName": null,
  "projectId": null,
  "projectName": null,
  "purposeIds": null,
  "policyId": null,
  "policyName": null,
  "fingerprintVersionId": null,
  "fingerprintVersionName": null,
  "count": 1,
  "recordType": "auditQuery",
  "success": true,
  "failureReason": null,
  "failureDetails": null,
  "subscriptionState": null,
  "accessedId": null,
  "accessedIdType": null,
  "accessedIamId": null,
  "accessedUserId": null,
  "groupAccessType": null,
  "groupIamId": null,
  "accessedGroupId": null,
  "component": "audit",
  "accessType": null,
  "blobId": null,
  "query": null,
  "queryId": null,
  "extra": {
    "params": {
      "size": 50,
      "sortField": "dateTime",
      "sortOrder": "desc",
      "offset": 0
    }
  },
  "dataSourceSchemaName": null,
  "dataSourceTableName": null,
  "featureKey": null,
  "sqlUser": null,
  "action": null,
  "blobSize": null,
  "hardDelete": null,
  "keyAction": null,
  "keyId": null,
  "keyIamId": null,
  "keyUserId": null,
  "createdAt": "2021-09-27T15:32:33.274Z",
  "updatedAt": "2021-09-27T15:32:33.274Z"
}

Query for activity by API key

GET /audit/apikey/activity

Queries for the recent activity using the API key.

Query parameters

Response parameters

Request example

The following request queries for the recent activity using the API key.

curl \
    --request GET \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer dea464c07bd07300095caa8" \
    https://your-immuta-url.com/audit/apikey/activity?keyid=650&count=1

Response example

{
  "id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
  "dateTime": "1632756753272",
  "month": 1460,
  "profileId": 2,
  "userId": "first.last@immuta.com",
  "dataSourceId": null,
  "dataSourceName": null,
  "projectId": null,
  "projectName": null,
  "purposeIds": null,
  "policyId": null,
  "policyName": null,
  "fingerprintVersionId": null,
  "fingerprintVersionName": null,
  "count": 1,
  "recordType": "auditQuery",
  "success": true,
  "failureReason": null,
  "failureDetails": null,
  "subscriptionState": null,
  "accessedId": null,
  "accessedIdType": null,
  "accessedIamId": null,
  "accessedUserId": null,
  "groupAccessType": null,
  "groupIamId": null,
  "accessedGroupId": null,
  "component": "audit",
  "accessType": null,
  "blobId": null,
  "query": null,
  "queryId": null,
  "extra": {
    "params": {
      "size": 50,
      "sortField": "dateTime",
      "sortOrder": "desc",
      "offset": 0
    }
  },
  "dataSourceSchemaName": null,
  "dataSourceTableName": null,
  "featureKey": null,
  "sqlUser": null,
  "action": null,
  "blobSize": null,
  "hardDelete": null,
  "keyAction": null,
  "keyId": null,
  "keyIamId": null,
  "keyUserId": null,
  "createdAt": "2021-09-27T15:32:33.274Z",
  "updatedAt": "2021-09-27T15:32:33.274Z"
}

Search for query list by data source

GET /audit/queries/dataSource/{dataSourceId}/mine

Returns the list of the current user's distinct queries for the specified data source.

Query parameters

Response parameters

Request example

The following request returns the list of the current user's distinct queries.

curl \
    --request GET \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer dea464c07bd07300095caa8" \
    https://your-immuta-url.com/audit/queries/dataSource/23/mine?size=10&sortField=lastrun&sortOrder=desc

Response example

{
  "hits": [
    {
      "auditId": "ff264e8e-2ccc-468f-9129-bb0995c9cdf5",
      "query": "select * from \"public\".\"foobar\"",
      "lastrun": "1631627763345",
      "timesrun": "5",
      "name": "Name"
    },
    {
      "auditId": "f722042f-f0f3-4c83-bd33-7672892d918f",
      "query": "SELECT * FROM \"public\".\"foobar\" LIMIT 100",
      "lastrun": "1631200121550",
      "timesrun": "3",
      "name": null
    }
  ],
  "count": 2
}

Search Audit Logs

Support for the audit endpoint and UI has been deprecated. Instead, pull audit logs from Kubernetes and push them to your SIEM.

This page describes the audit endpoint API. The audit API allows users to programmatically search for audit records in Immuta.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Workflow

Search all audit records.
Retrieve a specific audit record.
Search for recent activities using the API key.
Search for queries for a specific data source.

Search for audit records

GET /audit

Search for audit records.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request searches for all audit records.

curl \
    --request GET \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer dea464c07bd07300095caa8" \
    https://your-immuta-url.com/audit?size=2&sortField=dateTime&sortOrder=desc

Response example

{
  "hits": [
    {
      "dateTime": "1632756753272",
      "dataSourceName": null,
      "projectName": null,
      "recordType": "auditQuery",
      "blobId": null,
      "userId": "first.last@immuta.com",
      "profileId": 2,
      "purposeIds": null,
      "success": true,
      "failureReason": null,
      "id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
      "fingerprintVersionName": null,
      "email": "first.last@immuta.com"
    },
    {
      "dateTime": "1632755783628",
      "dataSourceName": null,
      "projectName": null,
      "recordType": "authenticate",
      "blobId": null,
      "userId": "first.last@immuta.com",
      "profileId": 2,
      "purposeIds": null,
      "success": true,
      "failureReason": null,
      "id": "d143719b-6af9-4af3-aa99-8055be40e877",
      "fingerprintVersionName": null,
      "email": "first.last@immuta.com"
    }
  ],
}

Retrieve a specific audit record

GET /audit/{recordId}

Retrieve a specific audit record.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request retrieves a specific audit record.

curl \
    --request GET \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer dea464c07bd07300095caa8" \
    https://your-immuta-url.com/audit/480d9d3f-4128-445d-8eec-3cccb34f9935

Response Example

{
  "id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
  "dateTime": "1632756753272",
  "month": 1460,
  "profileId": 2,
  "userId": "first.last@immuta.com",
  "dataSourceId": null,
  "dataSourceName": null,
  "projectId": null,
  "projectName": null,
  "purposeIds": null,
  "policyId": null,
  "policyName": null,
  "fingerprintVersionId": null,
  "fingerprintVersionName": null,
  "count": 1,
  "recordType": "auditQuery",
  "success": true,
  "failureReason": null,
  "failureDetails": null,
  "subscriptionState": null,
  "accessedId": null,
  "accessedIdType": null,
  "accessedIamId": null,
  "accessedUserId": null,
  "groupAccessType": null,
  "groupIamId": null,
  "accessedGroupId": null,
  "component": "audit",
  "accessType": null,
  "blobId": null,
  "query": null,
  "queryId": null,
  "extra": {
    "params": {
      "size": 50,
      "sortField": "dateTime",
      "sortOrder": "desc",
      "offset": 0
    }
  },
  "dataSourceSchemaName": null,
  "dataSourceTableName": null,
  "featureKey": null,
  "sqlUser": null,
  "action": null,
  "blobSize": null,
  "hardDelete": null,
  "keyAction": null,
  "keyId": null,
  "keyIamId": null,
  "keyUserId": null,
  "createdAt": "2021-09-27T15:32:33.274Z",
  "updatedAt": "2021-09-27T15:32:33.274Z"
}

Query for activity by API key

GET /audit/apikey/activity

Queries for the recent activity using the API key.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request queries for the recent activity using the API key.

curl \
    --request GET \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer dea464c07bd07300095caa8" \
    https://your-immuta-url.com/audit/apikey/activity?keyid=650&count=1

Response example

{
  "id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
  "dateTime": "1632756753272",
  "month": 1460,
  "profileId": 2,
  "userId": "first.last@immuta.com",
  "dataSourceId": null,
  "dataSourceName": null,
  "projectId": null,
  "projectName": null,
  "purposeIds": null,
  "policyId": null,
  "policyName": null,
  "fingerprintVersionId": null,
  "fingerprintVersionName": null,
  "count": 1,
  "recordType": "auditQuery",
  "success": true,
  "failureReason": null,
  "failureDetails": null,
  "subscriptionState": null,
  "accessedId": null,
  "accessedIdType": null,
  "accessedIamId": null,
  "accessedUserId": null,
  "groupAccessType": null,
  "groupIamId": null,
  "accessedGroupId": null,
  "component": "audit",
  "accessType": null,
  "blobId": null,
  "query": null,
  "queryId": null,
  "extra": {
    "params": {
      "size": 50,
      "sortField": "dateTime",
      "sortOrder": "desc",
      "offset": 0
    }
  },
  "dataSourceSchemaName": null,
  "dataSourceTableName": null,
  "featureKey": null,
  "sqlUser": null,
  "action": null,
  "blobSize": null,
  "hardDelete": null,
  "keyAction": null,
  "keyId": null,
  "keyIamId": null,
  "keyUserId": null,
  "createdAt": "2021-09-27T15:32:33.274Z",
  "updatedAt": "2021-09-27T15:32:33.274Z"
}

Search for query list by data source

GET /audit/queries/dataSource/{dataSourceId}/mine

Returns the list of the current user's distinct queries for the specified data source.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request returns the list of the current user's distinct queries.

curl \
    --request GET \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer dea464c07bd07300095caa8" \
    https://your-immuta-url.com/audit/queries/dataSource/23/mine?size=10&sortField=lastrun&sortOrder=desc

Response example

{
  "hits": [
    {
      "auditId": "ff264e8e-2ccc-468f-9129-bb0995c9cdf5",
      "query": "select * from \"public\".\"foobar\"",
      "lastrun": "1631627763345",
      "timesrun": "5",
      "name": "Name"
    },
    {
      "auditId": "f722042f-f0f3-4c83-bd33-7672892d918f",
      "query": "SELECT * FROM \"public\".\"foobar\" LIMIT 100",
      "lastrun": "1631200121550",
      "timesrun": "3",
      "name": null
    }
  ],
  "count": 2
}