2024.3
Search powered by AI

Snowflake Query Audit Logs

Snowflake query audit logs is a feature that audits queries that users run natively in Snowflake and presents them in a universal format as Immuta audit logs. Immuta uses the Snowflake QUERY_HISTORY and ACCESS_HISTORY tables and translates them into the audit logs that can be viewed at query events in the Immuta UI or exported to S3. Immuta audits the activity of Immuta users on Immuta data sources.

Requirements

Store audit logs

By default Immuta audit logs expire after 7 days. Export the universal audit model (UAM) logs to S3 or ADLS Gen 2, and store audit logs outside of Immuta in order to retain the audit logs long-term.

Audit frequency

Immuta collects audit records at the frequency configured when enabling the integration, which is between 1 and 24 hours. The frequency is a global setting based on integration type, so organizations with multiple Snowflake integrations will have the same audit frequency for all of them. The more frequent the audit records are ingested, the more current the audit records; however, there could be performance and cost impacts from the frequent jobs.

To manually request native query audit ingestion, click Load Audit Events on the Immuta audit page.

Audit schema

Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.

Example audit record

{
  "action": "QUERY",
  "actor": {
    "type": "USER_ACTOR",
    "name": "Taylor",
    "id": "taylor@snowflake.com",
    "identityProvider": "bim",
    "impersonatedBy": null
  },
  "sessionId": "18245308848957358",
  "actionStatus": "SUCCESS",
  "actionStatusReason": null,
  "eventTimestamp": "2023-03-21T13:39:45.040598-04:00",
  "id": "abcd",
  "userAgent": "Snowflake Web App",
  "tenantId": "your-immuta.com",
  "targetType": "DATASOURCE",
  "targets": [
    {
      "type": "DATASOURCE",
      "id": "2034",
      "name": "University Art Gallery Exhibition",
      "technology": "SNOWFLAKE"
    }
  ],
  "relatedResources": [],
  "auditPayload": {
    "type": "QueryAuditPayload",
    "queryId": "01a9c8f5-0602-eeb3-0040-d203014c166a",
    "query": "SELECT T2.theme ,  T1.date ,  T1.attendance FROM \"DETECT_DEMO_DB\".\"UNIVERSITY_ART_GALLERY\".\"EXHIBITION_RECORD\" AS T1 JOIN \"DETECT_DEMO_DB\".\"UNIVERSITY_ART_GALLERY\".\"EXHIBITION\" AS T2 ON T1.exhibition_id  =  T2.exhibition_id WHERE T2.year  =  2004",
    "startTime": "2023-03-21T13:39:45.040598-04:00",
    "endTime": "2023-03-21T13:05:07.040598-04:00",
    "duration": 163,
    "errorCode": null,
    "technologyContext": {
      "type": "SnowflakeContext",
      "host": "example.snowflakecomputing.com",
      "clientIp": "xxx.xx.xx.xx",
      "snowflakeUsername": "taylor@snowflake.com",
      "rowsProduced": 3,
      "roleName": "ACCOUNTADMIN",
      "warehouseId": "3",
      "warehouseName": "DETECT_WH",
      "clusterNumber": 1
    },
    "objectsAccessed": [
      {
        "name": "DB.PUBLIC.CASE",
        "datasourceId": "3",
        "databaseName": "DB",
        "schemaName": "PUBLIC",
        "type": "TABLE",
        "columns": [
          {
            "name": "DOB",
            "tags": [],
            "securityProfile": {
              "sensitivity": {
                "score": "INDETERMINATE"
              }
            },
            "inferred": false
          },
          {
            "name": "COUNTRY",
            "tags": [],
            "securityProfile": {
              "sensitivity": {
                "score": "INDETERMINATE"
              }
            },
            "inferred": false
          },
          {
            "name": "DEPARTMENT",
            "tags": [],
            "securityProfile": {
              "sensitivity": {
                "score": "INDETERMINATE"
              }
            },
            "inferred": false
          },
          {
            "name": "FIRSTNAME",
            "tags": [],
            "securityProfile": {
              "sensitivity": {
                "score": "INDETERMINATE"
              }
            },
            "inferred": false
          },
          {
            "name": "SSN",
            "tags": [],
            "securityProfile": {
              "sensitivity": {
                "score": "INDETERMINATE"
              }
            },
            "inferred": false
          },
          {
            "name": "ID",
            "tags": [],
            "securityProfile": {
              "sensitivity": {
                "score": "INDETERMINATE"
              }
            },
            "inferred": false
          },
          {
            "name": "COMPANY",
            "tags": [],
            "securityProfile": {
              "sensitivity": {
                "score": "INDETERMINATE"
              }
            },
            "inferred": false
          },
          {
            "name": "LASTNAME",
            "tags": [],
            "securityProfile": {
              "sensitivity": {
                "score": "INDETERMINATE"
              }
            },
            "inferred": false
          }
        ],
        "tags": [],
        "securityProfile": {
          "sensitivity": {
            "score": "INDETERMINATE"
          }
        }
      }
    ],
    "securityProfile": {
      "sensitivity": {
        "score": "NONSENSITIVE"
      }
    }
  },
  "receivedTimestamp": "2023-03-22T13:22:04.979644-04:00"
}
PreviousQuery Audit LogsNextDatabricks Unity Catalog Query Audit Logs

Other versions

SaaS2024.22024.12023.4

Copyright © 2014-2024 Immuta Inc. All rights reserved.