Extracting Insights from Immuta Audit Logs

Collecting audit logs is a critical first step—but the true value comes from transforming that data into insights that strengthen governance, demonstrate compliance, and proactively manage risk.

This guide is for teams who have already set up Immuta audit log exports and are ready to take the next step: using those logs to answer real-world access and policy questions. You’ll learn how to focus on the events that matter most, set up targeted monitoring strategies, and identify when to use dashboards versus real-time notifications.

We’ll also walk through example scenarios, from tracking permission changes to detecting newly registered PII, so you can see how audit data translates into actionable intelligence in your environment.

Immuta retains logs for 90 days by default, so exporting audit logs to secure storage (e.g., Amazon S3 or Azure Data Lake Gen2) ensures long-term visibility and enables deeper analysis. If you haven’t completed export setup yet, see the Audit how-to guides before continuing.

Develop your audit strategy

Immuta’s audit logs can answer dozens of questions, but the most effective audit programs begin by focusing on what matters most to your business. By starting with the right questions, you’ll avoid sifting through logs without context and instead focus on insights that align with your access model, compliance requirements, and risk profile.

This section is designed to help you move from reactive logging to a proactive, business-aligned audit strategy.

Discovery questions to guide your audit priorities

Access control and entitlements

  • Are you responsible for tracking how user entitlements shift over time?

    • Monitor SubscriptionUpdated, SubscriptionDeleted

  • Do you need to review or validate who approved access to a dataset?

    • Monitor SubscriptionRequestApproved, SubscriptionCreated

Metadata changes

  • Do you need to monitor the removal or adding of tags on data sources or columns?

    • Monitor TagApplied, TagRemoved

  • Do you need to monitor the creation, deletion, or updates of tags in Immuta?

    • Monitor TagCreated, TagUpdated, TagDeleted

  • Do you need to monitor the removal or adding of user attributes?

    • Monitor AttributeApplied, AttributeRemoved

User management

  • Do you want to detect if users are being created or updated locally in Immuta instead of via your IAM provider?

    • Monitor UserCreated, UserCloned, UserDeleted, UserUpdated

  • Do you need to know when permissions given to users in Immuta are updated?

    • Monitor PermissionApplied, PermissionRemoved, DomainPermissionsUpdated

Policy oversight

  • Do you need to know when a policy is created, updated, or deleted and by whom?

    • Monitor GlobalPolicyCreated, GlobalPolicyUpdated, GlobalPolicyDeleted

  • Do you want to understand how a policy change affects access?

    • Correlate GlobalPolicyUpdated with subsequent auditPayload

Compliance and regulatory obligations

  • Do you need to demonstrate that sensitive data has been classified and governed appropriately?

    • Monitor TagApplied, SDDDatasourceTagUpdated to review classification coverage across registered sources

  • Are you required to maintain a complete audit trail of who accessed what and when?

    • Log and export all QUERY events, along with actionStatus, eventTimestamp, auditPayload.objectsAccessed

Application and platform configuration

  • Do you want to track when new data sources are added?

    • Monitor DatasourceCreated

  • Do you want to track any changes made to the Immuta application settings?

    • Monitor ConfigurationUpdated

Risk detection

  • Do you want to detect queries on sensitive data?

    • Monitor QUERY events with auditPayload.securityProfile.sensitivity.score

  • Would it be a problem if someone tried to access data they shouldn't have?

    • Monitor failed QUERY events

Dashboards vs. notifications: choosing the right level of monitoring

Not every audit event needs a real-time alert. One of the most effective ways to build a sustainable audit strategy is to decide upfront which insights should live in a dashboard (for ongoing visibility) and which deserve a notification (to drive immediate action).

Use case
Recommended action

Track policy edits over time

Dashboard

Review all access grants and removals weekly

Dashboard

Catch manual grants

Notification

Track Immuta application permission changes

Notification

Detect query spikes on sensitive data

Dashboard + otification over a certain threshold

Show entitlement changes weekly

Dashboard

Example scenarios

Once your Immuta audit logs are flowing to a secure location, you can begin filtering them to answer common governance, access, and compliance questions. Below are three practical scenarios to help you get started. These can be adapted to your analytics platform of choice.

1. Monitor key configuration changes in Immuta application

Governance teams need visibility into high-impact configuration changes, especially those that affect how access is granted or enforced. Even when these changes are made by privileged users, it’s important to track actions that directly influence data exposure, such as assigning governance roles or modifying user permissions.

Relevant audit events

PermissionApplied, PermissionRemoved, DomainPermissionsUpdated.

Example SQL

The SQL script below will retrieve all permissions that have been applied, removed, or updated on the domain level.

The script is an example in Snowflake where we have created an external stage (@S3_audit_stage) that points to the S3 location where the audit files are exported to.

SELECT
    t0.value:eventTimestamp::datetime as eventtimestamp,
    t0.value:type::string as type,
    t0.value:actionStatus::string as actionstatus,
    t0.value:actor.id::string as user,
    case 
        when t0.value:type::string = 'DomainPermissionsUpdated' 
        then t0.value:relatedResources[0].name::string 
        else t0.value:targets[0].name::string 
    end as affecteduser,
    case 
        when t0.value:type::string = 'DomainPermissionsUpdated' 
        then t0.value:targets[0].name::string 
        else null
    end as affecteddomain,
    case 
        when t0.value:type::string = 'DomainPermissionsUpdated' 
        then t0.value:auditPayload.permissionUpdates[0].permissions::variant 
        else t0.value:relatedResources[0].name::string
    end as permissions,
    t0.value as json
FROM @S3_audit_stage (file_format => 'json_format',pattern=>'.*json'),
    lateral flatten (input => $1) as t0
WHERE type in ('PermissionApplied', 'PermissionRemoved', 'DomainPermissionsUpdated')
order by eventTimestamp desc;

Optional alerts

You can monitor permission changes in Immuta by setting up a webhook on the permissionsUpdated notification. To do this, trigger an API call to create the webhook, using a URL from your chosen application (e.g., Slack) configured to receive incoming webhooks. The example below uses a Slack webhook URL.

For more advanced filtering, you can introduce a lightweight Lambda (or similar service) to process webhook events. This allows you to evaluate each event—for example, to check whether it occurred outside business hours or involved high-risk permissions like USER_ADMIN or GOVERNANCE—and only forward alerts that meet your criteria.

Example webhook payload
curl \
    --request POST \
    --header "Authorization: <api-token>" \
    --data @example-payload.json \
    https://<your-tenant-name>.hosted.immutacloud.com/webhooks



example-payload.json:
{
 "webhooks": [
   {
     "url": "https://hooks.slack.com/services/T00000/B00000/XXXXXXXXXXXXXXXXX",
     "name": "Updated permissions",
     "global": true,
     "notificationType": [
       "permissionsUpdated"
     ],
     "actionType": "triggered"
   }
 ]
}

2. Monitor policy and access control changes

When policies are updated—especially those that govern sensitive or regulated data—teams should be alerted to the change and understand its downstream impact. Because Immuta policies are dynamic and metadata-driven, even minor changes can significantly alter access.

To monitor policy edits and evaluate their potential impact, use audit logs to pinpoint policy changes, then correlate them with access modifications and shifts in query behavior over time.

  • Creating, updating, or deleting policies

  • Applying or removing tags (especially on sensitive datasets)

  • Adding or removing user attributes that affect entitlements

Relevant audit events

  • Policy events: GlobalPolicyCreated, GlobalPolicyUpdated, GlobalPolicyDeleted.

  • Tag events: TagApplied, TagRemoved.

  • Attribute events: AttributeApplied, AttributeRemoved.

  • Permissions events: PermissionApplied, PermissionRemoved, DomainPermissionsUpdated.

Example SQL

The example below will give an overview of all tag, attribute, and policy audit events mentioned above from your exported audit logs in Snowflake.

SELECT
    t0.value:eventTimestamp::datetime as eventtimestamp,
    t0.value:type::string as type,
    t0.value:actionStatus::string as actionstatus,
    t0.value:actor.id::string as user,
    t0.value:targets[0].name::string as affectedobject, 
    coalesce(concat(
                    t0.value:auditPayload.attributes[0].attribute::string
                    , ': '
                    , replace(replace(t0.value:auditPayload.attributes[0].values::string,'[', ''),']','')) --attributes
            , t0.value:auditPayload.appliedTags[0].tags[0].name::string --applied tags
            , t0.value:auditPayload.removedTags[0].tags[0].name::string --removed tags
            , t0.value:auditPayload.policy.actions[0].dataPolicyType::string -- data policies
            , t0.value:auditPayload.policy.actions[0].type::string -- subscription policies
            ) as value,
    t0.value as json
FROM @S3_audit_stage (file_format => 'json_format',pattern=>'.*json'),
    lateral flatten (input => $1) as t0
WHERE type in ( 'TagApplied', 'TagRemoved'
                , 'AttributeApplied', 'AttributeRemoved'
                , 'GlobalPolicyUpdated', 'GlobalPolicyCreated', 'GlobalPolicyDeleted')
order by eventTimestamp desc;

You can set up alerts using Immuta’s webhook functionality. For example, to receive notifications when a user attribute is manually added, updated, or removed, configure a webhook for the attributeAdded, attributeUpdated, and attributeRemoved notifications. To create the webhook, trigger an API call to Immuta using a URL from your chosen application (e.g., Slack) that is configured to receive incoming webhooks. The example below uses a URL for Slack.

Example webhook payload
curl \
    --request POST \
    --header "Authorization: <api-token>" \
    --data @example-payload.json \
    https://<your-tenant-name>.hosted.immutacloud.com/webhooks



example-payload.json:
{
 "webhooks": [
   {
     "url": "https://hooks.slack.com/services/T00000/B00000/XXXXXXXXXXXXXXXXX",
     "name": "attributeAlert",
     "global": true,
     "notificationType": [
       "attributeAdded", "attributeUpdated", "attributeRemoved"
     ],
     "actionType": "triggered"
   }
 ]
}

3. Monitor when new PII or PCI data is registered

When new columns are added to an existing dataset—especially when those columns contain PII or PCI—governance teams need to know. In Immuta, newly registered columns are automatically tagged with New, and identification applies tags like PII or PCI when it detects sensitive information. This makes it possible to identify when data engineers introduce sensitive fields to an already-governed table.

By monitoring these tags at the point of registration, governance teams can proactively review datasets and ensure appropriate access controls are in place before those datasets are exposed to users.

Relevant audit event

TagApplied

Example SQL

This script is an example in Snowflake where an external stage (@S3_audit_stage) points to the S3 location where the audit files are exported to.

SELECT
    t0.value:eventTimestamp::datetime as eventtimestamp,
    t0.value:type::string as type,
    t0.value:actionStatus::string as actionstatus,
    t0.value:actor.id::string as user,
    t0.value:targets[0].name::string as affectedobject, 
    t0.value:auditPayload.appliedTags[0].tags[0].name::string as appliedtags,
    t0.value as json
FROM @S3_audit_stage (file_format => 'json_format',pattern=>'.*json'),
    lateral flatten (input => $1) as t0
WHERE type in ( 'TagApplied') and t0.value:auditPayload.appliedTags[0].tags[0].name::string ilike '%PII%'
order by eventTimestamp desc;

Conclusion

Immuta audit logs offer more than just a record of activity—they’re a powerful foundation for proactive governance, risk detection, and regulatory compliance. By focusing on high-impact events, aligning monitoring with business priorities, and combining dashboards with alerts, you can turn raw log data into actionable intelligence.

Whether you're tracking permission changes, policy updates, or the registration of new sensitive data, a thoughtful audit strategy helps you stay ahead of risk and maintain trust in your data ecosystem.

Last updated

Was this helpful?