Using Immuta Detect

Immuta Detect provides value from the moment the dashboards are visible, which can be enabled for organizations with Snowflake, Databricks Spark, and Databricks Unity Catalog integrations. Currently, organizations with Snowflake integrations can get even more value with data sensitivity and tagging. To determine and surface the sensitivity of your data access, enable and tune classification.

Completing all the steps below will fully onboard you with Detect and Discover:

Before you begin

Prerequisites:

The onboarding process assumes that these prerequisites have already been set up, but here are the Immuta features and configuration required to enable Detect. Each integration can be used alone or a Snowflake integration can be used with either Databricks Spark or Databricks Unity Catalog. Databricks Spark and Databricks Unity Catalog are not supported together with Detect:

For Snowflake integrations:

• :

  • : This feature can be enabled when first configuring the integration or when editing the integration.

  • : While not required, it is recommended to enable this feature to properly audit unauthorized query events. Without it, unauthorized events will still show as successful. Project workspaces cannot be used with table grants, so if your organization relies on them, leave this feature disabled.

    Benefits and limitations of enabling table grants

    With enabled:

    • Unauthorized query events will be audited and present in the Detect dashboards.

    • Table grants will manage the privileges in Snowflake for Immuta tables, making it more efficient than without.

    Without table grants:

    • Unauthorized events are unavailable because users will have successful queries of zero rows, even if they do not have access to the table.

    • You can use project workspaces. Table grants is not compatible with project workspaces. If your organization depends on that capability, table grants is not recommended.

• Snowflake tables and users registered in Immuta: Detect only audits events by users registered in Immuta on tables registered in Immuta. If you do not register the tables and users, their actions will not appear in the audit records or on the Detect dashboards.

For Databricks Spark integrations:

For Databricks Unity Catalog integrations:

Recommended:

This setting is not required for Detect, but can be used for better functionality:

View Detect dashboards

Requirement:

Immuta permission USER_ADMIN

Actions:

To see sensitivity information using a Snowflake integration, proceed with the steps below.

Show data sensitivity with Discover

There are two options to tag data and activate classification frameworks to determine the sensitivity of your data:

After completing either of the tutorials above, data sources are tagged with entity tags and classification tags. Once users start querying data, and after the data latency with Snowflake, the Detect dashboards will show audit information with sensitivity information and the Discover data inventory dashboard will show details about the data that was scanned.

If you notice some sensitivity types are not appearing as you expect, proceed with the step below.

Adjust and accept data sensitivity

Requirement:

Immuta permissions AUDIT and GOVERNANCE

Actions:

After Discover has run SDD and the classification frameworks, it may be necessary to adjust the resulting tags based on your organization's data, security, and compliance needs:

After completing the tutorials above, all data appears as the appropriate sensitivity type on the Detect dashboards with Snowflake data sources.

FAQs

Why do I see empty charts in Detect activity pages?

Supported integrations

Detect supports the following integration for activity pages with dynamic query sensitivity that will determine and visualize the sensitivity of user queries:

Detect supports the following integrations for activity pages, but will not visualize any sensitivity:

• Databricks Spark

Why is my query event classified as "Indeterminate" or "Nonsensitive" when the data dictionary tags imply the query event should be classified to be at least "Sensitive"?

Troubleshooting

Check your data source tags

If you have completed the above steps and still see new query events as "Indeterminate" or "Nonsensitive", check that the right tags were applied in the data dictionary:

1. Navigate to the data source dictionary page.

2. Confirm one of the following tags is applied to one of the queried data columns:

   • RAF.Confidentiality.Very High

   • RAF.Confidentiality.High

   • RAF.Confidentiality.Medium

   Detect uses the sensitivity scores associated with these tags to classify a query's sensitivity. When the queried columns have these tags and the associated classification rules in RAF or Data Security Framework (DSF) are enabled at the time of audit query processing, the query event will indicate the proper classification.

3. If there are no RAF tags applied, check if there are any DSF or Discovered tags applied. These tags are necessary for RAF tags to be applied.

Activate the frameworks

If you do not see any RAF tags, ensure the Data Security Framework and Risk Assessment Framework are active:

1. Navigate to the classification frameworks page.

2. Check the status of the Data Security Framework and the Risk Assessment Framework.

Run sensitive data discovery

Additional Resources