Skip to content

Using Immuta Detect

Immuta Detect provides value from the moment the dashboards are visible, which can be enabled for organizations with Snowflake, Databricks Spark, and Databricks Unity Catalog integrations. Currently, organizations with Snowflake integrations can get even more value with data sensitivity and tagging. To determine and surface the sensitivity of your data access, enable and tune classification.

Completing all the steps below will fully onboard you with Detect and Discover:

  1. View Detect dashboards
  2. Show data sensitivity with Discover
  3. Adjust and accept data sensitivity
  4. Get historical audit information

Before you begin

Prerequisites:

The onboarding process assumes that these prerequisites have already been set up, but here are the Immuta features and configuration required to enable Detect. Each integration can be used alone or a Snowflake integration can be used with either Databricks Spark or Databricks Unity Catalog. Databricks Spark and Databricks Unity Catalog are not supported together with Detect:

For Snowflake integrations:

  • A Snowflake integration:

    • With governance features: This integration type is enabled by default for all new Snowflake integrations and is required for the audit information needed for Detect.
    • Native query audit enabled: This feature can be enabled when first configuring the integration or when editing the integration.
    • (Recommended) Table grants enabled: While not required, it is recommended to enable this feature to properly audit unauthorized query events. Without it, unauthorized events will still show as successful. Project workspaces cannot be used with table grants, so if your organization relies on them, leave this feature disabled.
    Benefits and limitations of enabling table grants

    With table grants enabled:

    • Unauthorized query events will be audited and present in the Detect dashboards.
    • Table grants will manage the privileges in Snowflake for Immuta tables, making it more efficient than without.

    Without table grants:

    • Unauthorized events are unavailable because users will have successful queries of zero rows, even if they do not have access to the table.
    • You can use project workspaces. Table grants is not compatible with project workspaces. If your organization depends on that capability, table grants is not recommended.
  • Snowflake tables and users registered in Immuta: Detect only audits events by users registered in Immuta on tables registered in Immuta. If you do not register the tables and users, their actions will not appear in the audit records or on the Detect dashboards.

For Databricks Spark integrations:

For Databricks Unity Catalog integrations:

Recommended:

This setting is not required for Detect, but can be used for better functionality:

  • No subscription policy by default: This feature sets the subscription policy of all new data sources to none when they are registered. Using this feature, allows for organizations to register all Snowflake tables in Immuta. Their audit information will appear in the Detect dashboards, but users' access to them will not be impacted by Immuta until a subscription policy is set.

View Detect dashboards

Requirement:

Immuta permission USER_ADMIN

Actions:

  1. Grant users the AUDIT permission to see the Detect dashboards.
  2. Navigate through Immuta Detect and explore the dashboards that visualize user and query audit information for your data environment.

These actions will result in users seeing the Detect dashboards containing information on the audit events in your data environment. These dashboards will not contain any information on the sensitivity of your data.

To see sensitivity information using a Snowflake integration, proceed with the steps below.

Show data sensitivity with Discover

Only available with Snowflake integrations.

Discover classification is supported with Databricks and Snowflake integrations; however, the sensitivity can only be visualized in Detect dashboards with Snowflake integrations.

There are two options to tag data and activate classification frameworks to determine the sensitivity of your data:

  1. (Recommended) Use Immuta sensitive data discovery (SDD) to automatically categorize and tag your data: This option is the smoothest onboarding experience because it is the most automated process. You will not need to manually tag your data, and the framework to determine sensitivity is already set to use the SDD tags.
  2. Use your organization's external tags: This option requires more manual configuration, but is best for organizations that have already configured tags for their tables. Please contact your Immuta representative for guidance.

After completing either of the tutorials above, data sources are tagged with entity tags and classification tags. Once users start querying data, and after the data latency with Snowflake, the Detect dashboards will show audit information with sensitivity information and the Discover data inventory dashboard will show details about the data that was scanned.

If you notice some sensitivity types are not appearing as you expect, proceed with the step below.

Adjust and accept data sensitivity

Only available with Snowflake integrations.

Discover classification is supported with Databricks and Snowflake integrations; however, the sensitivity can only be visualized in Detect dashboards with Snowflake integrations.

Requirement:

Immuta permissions AUDIT and GOVERNANCE

Actions:

After Discover has run SDD and the classification frameworks, it may be necessary to adjust the resulting tags based on your organization's data, security, and compliance needs:

  1. Create a new global framework for SDD
  2. Configure rules for SDD
  3. Adjust and accept entity and classification tags

After completing the tutorials above, all data appears as the appropriate sensitivity type on the Detect dashboards with Snowflake data sources.

Get historical audit information

Only available with Snowflake integrations.

Requirement:

Immuta permission APPLICATION_ADMIN

Action:

Consult your Immuta representative to enable historical audit from Snowflake. Enabling historical audit populates your Immuta Detect with up to one year of data platform activity history for all data sources, but can be customized to less time. It will use the tags applied at the time it is enabled, so ensure the tags represent what you want before completing this step: Enable historical audit

FAQs

  1. Why do I see empty charts in Detect activity pages?
  2. Why are some of my query events showing their sensitivity as "Indeterminate" for columns with PI tags?

Why do I see empty charts in Detect activity pages?

Detect activity pages will have active charts when configured correctly with supported integrations after audit logs have been ingested. The user viewing must have the Immuta AUDIT permission.

Supported integrations

Detect supports the following integration for activity pages with dynamic query sensitivity that will determine and visualize the sensitivity of user queries:

Detect supports the following integrations for activity pages, but will not visualize any sensitivity:

See the prerequisites for more information on the required configuration for each integration.

Why is my query event classified as "Indeterminate" or "Nonsensitive" when the data dictionary tags imply the query event should be classified to be at least "Sensitive"?

Query events sensitivity is determined by the tags with sensitivity metadata on the columns queried from Snowflake data sources. Immuta comes with a built-in framework with sensitivity tags, the Risk Assessment Framework. Ensure you have completed the configuration steps for onboarding Detect with Discover.

Troubleshooting

Check your data source tags

If you have completed the above steps and still see new1 query events as "Indeterminate" or "Nonsensitive", check that the right tags were applied in the data dictionary:

  1. Navigate to the data source dictionary page.
  2. Confirm one of the following tags is applied to one of the queried data columns:

    • RAF.Confidentiality.Very High
    • RAF.Confidentiality.High
    • RAF.Confidentiality.Medium

    Detect uses the sensitivity scores associated with these tags to classify a query's sensitivity. When the queried columns have these tags and the associated classification rules in RAF or DSF are enabled at the time of audit query processing, the query event will indicate the proper classification.

  3. If there are no RAF tags applied, check if there are any DSF or Discovered tags applied. These tags are necessary for RAF tags to be applied.

Activate the frameworks

If you do not see any RAF tags, ensure the Data Security Framework and Risk Assessment Framework are active:

  1. Navigate to the classification frameworks page.
  2. Check the status of the Data Security Framework and the Risk Assessment Framework.
  3. If the frameworks are inactive, activate them. Once activated, allow time for the frameworks to run on your data sources. Then, check the data source again for RAF and DSF tags.
Run sensitive data discovery

If both frameworks are activated, there are no RAF tags, and there are no Discovered tags, run SDD to apply Discovered tags.

Additional Resources


  1. Historical queries are immutable. Sensitivity tags applied to columns will determine a query's sensitivity from now on, but not retroactively adjust the sensitivity of previous queries.