Skip to content

Unified Audit Model (UAM)

Private Preview

This feature is only available to selected accounts.

Immuta’s unified audit model (UAM) provides audit logs with a consistent structure for query, authentication, policy, project, and tag events from your Immuta users and data sources. You can view the information in these UAM audit logs on the Detect dashboards or export the full audit logs to S3 for monitor services and data pipelines and process the audit logs with your log data processors and tools. This capability fosters convenient integrations with log monitoring services and data pipelines.

You can specify an S3 bucket destination where Immuta will periodically export audit logs. The events captured are only events relevant to user and system actions that affect Immuta or the integrated data platforms, such as creating policies or data sources and running queries.

Requirements

Immuta audit service

The Immuta audit service is an independent microservice that captures audit events from Immuta and queries run against your Databricks or Snowflake integration.

Immuta stores the export endpoints you provide during configuration, retrieves the audit records pushed to the audit service by your integration, and manages the audit exports based on an export schedule you define. These audit records are also stored to support future reporting and user interface enhancements that will allow you to search based on keywords and facets easily across the entire body of audit events.

Unified audit model events captured

The following sets of events are captured and can be exported to S3. The export will only contain data access logs and the following configuration events:

  • Attribute applied events (AttributeApplied)
  • Data source events
    • DatasourceCreated
    • DatasourceUpdated
    • DatasourceDeleted
    • DatasourceDisabled
    • Data source synced from data access pattern or integration events (DatasourceCatalogSynced)
  • License events
    • LicenseCreated
    • LicenseDeleted
  • Purpose events
    • PurposeUpserted
    • PurposeUpdated
    • PurposeDeleted
  • Databricks query events (DatabricksQuery)
  • Snowflake query events (SnowflakeQuery)
  • Tag events
    • TagApplied
    • TagCreated
    • TagDeleted
    • TagRemoved
    • TagUpdated
  • User sign in events (UserAuthenticated)
  • User updated events (UserUpdated)
  • Webhook events
    • WebhookCreated
    • WebhookDeleted

For example audit events captured in UAM, see the Example audit events page.

Audit export workflow

  1. When you configure the audit S3 export using the CLI, the audit service stores the export endpoint you provided.
  2. After the integration endpoint has been configured, the export scheduler will run on the schedule you defined in your configuration.
  3. When users query data and the event is audited, the audit service receives events from your Snowflake or Databricks integration.
  4. Immuta exports the audit logs to your configured S3 bucket.

Limitations

  • The export will only contain data access logs; other logs, such as those related to policy configuration, data source and project creation, and tags, will not be included.
  • The audit service does not capture system-level logging and debugging information, such as 404 errors.

Snowflake query limitations

  • Snowflake query audit events from a query using cached results will show 0 for the rowsProduced field.