Understanding Immuta Audit Logs
Immuta provides robust audit logging to capture a complete history of key activity within the platform and governed data sources. This includes policy creation and updates, access approvals, user and group attribute changes, tag applications, and query activity in technologies like Snowflake, Databricks, and Unity Catalog.
This visibility is essential for any organization managing sensitive data, regardless of size, industry, or data governance maturity. Audit logs offer:
Technical transparency to understand how access is granted and enforced
Operational accountability to trace decisions and user behavior
Regulatory evidence required to meet compliance obligations under frameworks like HIPAA, GDPR, and CCPA.
This guide is intended for data platform, security, and governance teams who are getting started with Immuta audit logs. It explains what Immuta captures, how those events are structured, and how to begin analyzing them effectively.
Types of audit logs
Immuta audit logs provide visibility into both how the Immuta application is used and how governed data is accessed in connected technologies. Together, these logs allow teams to trace how access is managed and enforced across the entire data ecosystem. These logs fall into two primary categories: application events and query events.
1. Application events
Application audit logs are focused on capturing how the Immuta application is used—specifically, who took what action, when, and why. These logs are especially useful for tracking
Policy creation, updates, and deletions
Changes to data source metadata, including applied tags
User or group attribute updates that affect entitlements
Access requests and approvals
Permission grants and denials for governed data sources
These records help governance and compliance teams trace decision points over time and verify how the Immuta application is enforcing access. For example, if a user gains access to a dataset tagged as sensitive, audit logs can help show whether that access resulted from a new policy, a group change, an updated user attribute, or a tag applied to the dataset.
2. Query events
Query audit logs capture governed data access in connected platforms. These logs show
Which user queried which table or data source
The timestamp and context of the query
The columns accessed or policies enforced (in supported platforms)
This information is critical for detecting anomalies and demonstrating that sensitive data is only accessed under the right conditions.
What’s captured in audit logs
All audit events—whether from Immuta application activity or query execution—follow a consistent structure, making them easy to analyze at scale. Each event typically includes the following fields:
action
Describes what occurred, like CREATE
, UPDATE
, DELETE
, or APPLY
.
targetType
Indicates the object affected by the action, like USER
, POLICY
, DATASOURCE
, TAG
, or ATTRIBUTE
.
actor
Identifies the user or system that performed the action, including their Immuta username, identity provider, and IP address.
timestamp
Shows when the action occurred.
sessionId
and requestId
Useful for correlating related events performed in a single session or transaction.
relatedResources
Shows metadata involved in the event, like as applied tags or attributes.
auditPayload
Provides object-specific details, such as which attribute value was applied or what tag was added.
These fields can be used to filter or join logs across different audit event types, helping you reconstruct access behavior, policy changes, or system activity over time.
Learn more about what's captured in the UAM schema reference guide.
What is not captured in Immuta audit logs?
Immuta’s audit logs are focused on access control and governance behavior within the Immuta application and queries in the platforms it governs. Immuta does not audit
Activity outside governed platforms (e.g., access to unmanaged data stores)
Failed login attempts done via SSO (these should be captured in your SSO provider audit logs)
Auditing metadata-driven access
One of the most important aspects of Immuta’s access control model is that policies are dynamic and metadata-driven. That means a user’s access can change even if no one edits the policy directly.
For example:
A policy allows access to tables tagged
business.marketing
for users with the attributedepartment=marketing
.If a user is granted the marketing attribute, or if a new
business.marketing
tag is added to a table, that user will now have access, even though the policy itself was not changed.
Immuta audit logs will reflect these events, showing when
A user’s attribute was updated (
AttributeApplied
)A tag was added to a data source (
TagApplied
)
These indirect events often explain changes in access and are essential to review during audits and investigations.
Next steps
If you haven’t yet configured audit log export, your first step is to set up export to secure storage, such as Amazon S3 or Azure Data Lake Gen2. This ensures that logs are retained beyond Immuta’s 90-day default and remain available for long-term analysis. Setup instructions are available in the Audit how-to guides.
If your exports are already in place, you're ready to begin analyzing the data. To learn how to filter for key events and monitor access patterns, see Extracting Insights from Immuta Audit Logs.
Last updated
Was this helpful?