Starburst Query Audit Logs
Deprecation notice
The /audit endpoint has been deprecated and replaced by Immuta Detect.
With the Event Listener enabled, users can view
audit records for queries made in Starburst against Immuta data sources through the /audit endpoint. Immuta audits the
activity of Immuta users on Immuta data sources.
Requirements
- Starburst integration with native query audit enabled
- Starburst tables registered as Immuta data sources
- Starburst users registered as Immuta users: Note that the users' Starburst usernames must be mapped to Immuta. Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Best Practices: Store Audit Records
By default Starburst (Trino) audit records expire after 90 days, so store audit records outside of Immuta in order to retain the audit logs long-term.
Audit Message
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
These audit records are stored with the recordType: prestoQuery.
| Property | Description | Example |
|---|---|---|
| ID | string |
b0000000-1234-abcd-11111111111111 |
| DateTime | integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp. |
2504188066580 or 2017-08-31T14:01:15.607Z |
| Month | integer |
1455 |
| ProfileID | integer The profile ID of the user who made the query. |
1 |
| UserID | string The user ID of the user who made the query. |
jane.doe@immuta.com |
| DataSourceID | integer The ID of the data source that was queried. |
12 |
| DataSourceName | string The name of the data source that was queried. |
Public Customer Data |
| ProjectID | integer The ID of the project the data source is in. |
18 |
| ProjectName | string The name of the project the data source is in. |
Project 1 |
| RecordType | string The type of record captured. |
Trino query audit records will always be prestoQuery. |
| Success | boolean If true, the query was successful. |
true or false |
| Component | string The Immuta component that generated the record. |
nativeSql |
| AccessType | string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs. |
query |
| Query | string The query that was run in the integration. Immuta truncates the query text to the first 2048 characters. |
select * from immuta.public. \"case\" limit 50 |
| Extra | array Information on the query, including viewSql, direct, and maskedColumns. |
See example audit record below. |
| DataSourceSchemaName | string |
The name of the schema that the data source that was queried came from. |
| DataSourceTableName | string The name of the table of the data source that was queried. |
case |
| sqlUser | string The Starburst username of the user who made the query. |
kris |
Example Audit Record
{
"id": "b0d49f2a-4a34-4d50-b36e-fd9b619eed32",
"dateTime": "1617997828777",
"month": 1455,
"profileId": 1,
"userId": "kris@immuta.com",
"dataSourceId": 41,
"dataSourceName": "Crime Data Delta",
"projectId": 17,
"count": 1,
"recordType": "prestoQuery",
"success": true,
"component": "nativeSql",
"accessType": "query",
"query": "select * from immuta.public. \"case\" limit 50",
"extra": {
"direct": true,
"maskedColumns": {
"ssn": "Hashing",
"dob": "Generalization",
"country": "Constant"
}
},
"dataSourceSchemaName": "public",
"dataSourceTableName": "default_crime_data_delta",
"sqlUser": "kris",
"createdAt": "2021-04-09T19:50:28.787Z",
"updatedAt": "2021-04-09T19:50:28.787Z"
}