Skip to content

Snowflake Query Audit Logs

Audience: Users with the AUDIT permission and Data Owners

Content Summary: This page outlines the details about the Snowflake native query auditing and common JSON properties of Snowflake native query audit logs in Immuta.

For a tutorial on getting these audit logs, see the View Audit Logs page.

Prerequisite:

  • Snowflake integration with Auditing enabled
  • Snowflake Enterprise Edition or higher

Best Practices: Store Audit Records

By default most Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.

The following audit record types do not expire after 60 days: blobFetch, dataSourceSubscription, globalPolicyApproved, globalPolicyApprovalRescinded, globalPolicyChangeRequested, globalPolicyConflictResolved, globalPolicyCreate, globalPolicyDelete, globalPolicyDisabled, globalPolicyUpdate, policyExemption, policyHandlerCreate, policyHandlerUpdate, prestoQuery, spark, and sqlQuery.

Overview

With this feature enabled during installation, queries that users run natively in Snowflake will be audited in Immuta. Immuta uses the Snowflake QUERY_HISTORY and ACCESS_HISTORY tables and translates them into Immuta audit logs that can be viewed and downloaded within the Immuta UI or using the Immuta API.

Prompt Native Query Audit

To manually prompt the native query audit, click Native Query Audit on the Audit page:

Native Query Button: Audit Page

Alternatively, the schedule for the automatic job can be changed to fit your needs. See instructions for changing the frequency of the automatic job on the App Settings Tutorial page.

Audit Messages

Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below. These audit records are stored with the recordType: nativeQuery.

Property Description Example
DateTime integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp. 2504188066580 or 2017-08-31T14:01:15.607Z
ProfileID integer The profile ID of the user who made the query. 1
UserID string The user ID of the user who made the query. jane.doe@immuta.com
DataSourceID integer The ID of the data source that was queried. 12
DataSourceName string The name of the data source that was queried. Public Customer Data
RecordType string The type of record captured. Native query audit records will always be nativeQuery.
Success boolean If true, the query was successful. true or false
Component string The Immuta component that generated the record. nativeSql
AccessType string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs. query
Query string The query that was run in the integration. select * from IMMUTA.PUBLIC.CUSTOMER;
Handler string The integration type. Snowflake
StartTime timestamp The date and time the query started in UTC. 2021-09-20 17:20:00.39100000 +0000
EndTime timestamp The date and time the query ended in UTC. 2021-09-20 17:20:02.42100000 +0000
Duration integer The time the query took in milliseconds. 2030
NativeObject string The fully qualified object that was queried. IMMUTA.PUBLIC.CUSTOMER
NativeObjectType string The type of the object that was queried. view or table
Host string The host that the integration is connected to. your-hostname.snowflake.computing.com
Database string The database that the native object resides in. IMMUTA
SQLUser string The integration username of the user who made the query. jane.doe@immuta.com