Manage Monitors and Observations
This feature is only available to selected accounts. Please contact your Immuta representative to enable this feature.
- Immuta permission
- Snowflake integration with governance features and native query audit enabled
- Monitors feature enabled on your Immuta tenant
Create a monitor
- Navigate to Detect in the navigation menu.
- Click Create Monitor.
- Enter a Name for the monitor.
Choose what to monitor in the dropdown menu:
- When User Accessed Any Data Source: This monitors user activity for all data sources in Immuta.
- When User Accessed Data Source in Schema: This monitors user activity for just the data sources within the schema you enter.
- When User Accessed Specific Data Source: This monitors user activity for the specific data source you enter.
Create conditions for the monitor to further scope user activities by specific tags, sensitivities, and query's execution outcome:
- Tag: This scopes the monitor to consider queries whose event context include all of the selected tags. The query must be associated with all specified tags in any combination of queried column tags, queried classification tags, and queried table tags. Also see query event context concept.
- Query Outcome: This scopes the monitor to consider queries that were executed as successful or unauthorized. You can select Unauthorized to create a monitor that can notify you when a registered Immuta user has exceeded the configurable threshold for unauthorized queries. This condition only works with the User Query Count metric scoped to When User Accessed Any Data Source.
- Sensitivity: This scopes the monitors to only consider queries that are classified as sensitive or highly sensitive. This condition should only be used if classification has been configured.
You can create up to two conditions for each monitor and they must all be satisfied for the query to be considered by the monitor.
Select Next to configure rules.
- Select the Timeframe from the dropdown menu to specify the time range the threshold cannot be exceeded within.
Choose what kind of user activity metric to monitor in the metric dropdown menu:
- Number of Rows Accessed: This monitors for the quantity of rows the user accessed and can be combined with additional conditions on tags and sensitivity. The exact number of rows is configured in the severity thresholds.
- User Query Count: This monitors the number of queries the user made and can be combined with additional conditions on tags, sensitivity, and query outcome. The exact number of queries is configured in the severity thresholds.
Select one of the Severity Thresholds to set thresholds for the configured user activity metric. An observation will be created and assigned the matching severity when a the metric exceeds the threshold.
- Click Next to show the notifications configuration.
- Choose the frequency of the notifications to webhooks when an observation is created:
- Never: You can review observations in the Immuta application, and Immuta will not send webhook notifications when observations are made.
- Notify each time an Observation is generated: Every time a monitor creates an observation, a webhook notification will be sent.
- Notify the first time an Observation is generated for each user: Every time a monitor creates an observation, a webhook notification will be sent for the first observation about a user. You will not receive notifications for observations from the monitor again for previously notified observations about the same user. New observations about users that were previously notified can be reviewed in the Immuta UI.
- Select a webhook from the dropdown menu or opt to create a new webhook.
- Choose the severity you want notifications for. This will send out webhook notifications only for the severity threshold that you select.
- Click Next and review the monitor selections.
- Click Create Monitor.