Public preview
This feature is available to all accounts. Contact your Immuta representative to enable this feature.
Requirements:
Immuta permission AUDIT
Monitors feature enabled
Navigate to Detect in the navigation menu.
Click Create Monitor.
Enter a Name for the monitor.
Choose what to monitor in the dropdown menu:
When User Accessed Any Data Source: This monitors user activity for all data sources in Immuta.
When User Accessed Data Source in Schema: This monitors user activity for just the data sources within the schema you enter.
When User Accessed Specific Data Source: This monitors user activity for the specific data source you enter.
Create conditions for the monitor to further scope user activities:
Query Duration: This scopes the monitor to consider the duration of the query. Enter the Query Duration in seconds.
Tag: This scopes the monitor to consider queries whose event contexts include all of the selected tags. The query must be associated with all specified tags in any combination of queried column tags, queried classification tags, and queried table tags. For more information, see the query event context concept.
Query Outcome: This scopes the monitor to consider the queries' results as successful, unauthorized, or failure. You can select Unauthorized or Failed to create a monitor that can notify you when a registered Immuta user has exceeded the configurable threshold for unauthorized or failed queries. This condition only works with the User Query Count metric scoped to When User Accessed Any Data Source.
Sensitivity: This scopes the monitors to only consider queries that are classified as sensitive or highly sensitive. This condition should only be used if classification has been configured.
All conditions must be satisfied for the query to be considered by the monitor.
Select Next to configure rules.
Select the Timeframe from the dropdown menu to specify the time range the threshold cannot be exceeded within.
Choose what kind of user activity metric to monitor in the metric dropdown menu:
Number of Rows Accessed: This monitors for the quantity of rows the user accessed and can be combined with additional conditions on tags and sensitivity. The exact number of rows is configured in the severity thresholds.
User Query Count: This monitors the number of queries the user made and can be combined with additional conditions on tags, sensitivity, and query outcome. The exact number of queries is configured in the severity thresholds.
Select at least one of the Severity Thresholds to set thresholds for the configured user activity metric. An observation will be created and assigned the matching severity when the metric exceeds the threshold.
Click Next to show the notifications configuration.
Choose the frequency of the notifications to webhooks when an observation is created:
Never: You can review observations in the Immuta application, and Immuta will not send webhook notifications when observations are made.
Notify each time an Observation is generated: Every time the monitor creates an observation, a webhook notification will be sent.
Notify the first time an Observation is generated for each user: Every time the monitor creates an observation, a webhook notification will be sent for the first observation about a user. You will not receive notifications for observations from the monitor again for previously notified observations about the same user. New observations about users that were previously notified can be reviewed in the Immuta UI.
Select a webhook from the dropdown menu or opt to create a new webhook.
Choose the severity you want notifications for. This will send out webhook notifications only for the severity threshold that you select.
Click Next and review the monitor selections.
Click Create Monitor.