Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Immuta’s universal audit model (UAM) provides audit logs with a consistent structure for query, authentication, policy, project, and tag events from your Immuta users and data sources. You can view the information in these UAM audit logs on the Detect dashboards or export the full audit logs to S3 and ADLS for long-term backup and processing with log data processors and tools. This capability fosters convenient integrations with log monitoring services and data pipelines.
You can specify an S3 bucket destination where Immuta will periodically export audit logs when using S3. When using ADLS, you can specify the container destination where Immuta will export audit logs. If desired, users can configure both export options to export their audit logs to S3 and ADLS simultaneously.
The events captured are events relevant to user and system actions that affect Immuta or the integrated data platforms, such as creating policies or data sources and running queries.
See a list of the events captured and example schemas on the UAM schema reference guide.
The Immuta audit service is an independent microservice that captures audit events from Immuta and queries run against your Snowflake, Databricks Spark, or Databricks Unity Catalog integration.
Immuta stores the export endpoints you provide during configuration, retrieves the audit records pushed to the audit service by your integration, and manages the audit exports based on an export schedule you define. These audit records are also stored to support future reporting and user interface enhancements that will allow you to search based on keywords and facets easily across the entire body of audit events.
Public preview: This feature is public preview and available to all accounts.
After the integration endpoint has been configured, the export scheduler will run on the schedule you defined in your configuration.
When users query data and the event is audited, the audit service receives events from your Snowflake, Databricks Spark, Databricks Unity Catalog, or Starburst (Trino) integration.
Immuta exports the audit logs to your configured S3 bucket or ADLS container.
The table below outlines what information is included in the query audit logs for each integration where query audit is supported.
Table and user coverage
Registered data sources and users
Registered data sources and users
All tables and users
Registered data sources and users
Object queried
Columns returned
Query text
Unauthorized information
Policy details
User's entitlements
Column tags
Table tags
Legend:
The audit service does not capture system-level logging and debugging information, such as 404 errors.
Snowflake query audit events from a query using cached results will show 0
for the rowsProduced
field.
Enrichment of audit logs with Immuta entitlements information is not supported. While you will see these entitlements in the Databricks Spark audit logs, the following will not be in the Databricks Unity Catalog audit logs:
Immuta policies information
User attributes
Groups
Immuta determines unauthorized events based on error messages within Unity Catalog records. When the error messages contain expected language, unauthorized events will be available for Databricks Unity Catalog audit logs, in other cases it is not possible to determine the cause of an error.
Unauthorized logs for cluster queries are not marked as unauthorized; they always will be a failure.
Data source information will be provided when available:
For some queries, Databricks Unity Catalog does not report the target data source for the data access operation. In these cases the activity is audited, yet the audit record in Immuta will not include the target data source information.
The target data source information is not available for unauthorized queries and events.
The column affected by the query is not currently supported.
The cluster for the Unity Catalog integration must always be running for Immuta to audit activity and present audit logs.
Audit for the columns accessed in the query is not currently supported for Starburst, but is coming soon.
Audit for unauthorized access is not currently supported.
Audit including the user’s entitlements is not currently supported.
This is available and the information is included in audit logs.
This is not available and the information is not included in audit logs.
Public preview: This feature is public preview and available to all accounts.
Use these audit export configuration commands to manage exporting your audit logs to S3 and ADLS Gen2. To configure an audit export see the Export to S3 or Export to ADLS guides.
To disable a configuration, use the disableExportConfiguration
mutation:
To enable a disabled configuration, use the enableExportConfiguration
mutation:
To delete a configuration, use the deleteExportConfiguration
mutation:
To update an existing configuration, use the mutation for your specific export configuration:
Export to S3 with access key: updateS3AccessKeyExportConfiguration
Export to S3 with assumed role: updateS3AssumedRoleExportConfiguration
Export to ADLS: updateAdlsSasTokenExportConfiguration
Update the configuration to make small changes, i.e., to rotate the token, rather than deleting the existing one and creating a new one.
Starburst (Trino) query audit logs is a feature that audits queries that users run natively in Starburst (Trino) and presents them in a universal format as Immuta audit logs. Users can view audit records for queries made in Starburst (Trino) against Immuta data sources on the audit page. Immuta audits the activity of Immuta users on Immuta data sources.
Starburst (Trino) integration with the Starburst or Trino plugin version 443 or newer, or Trino 435 with the Immuta Trino 435.1 plugin
Starburst (Trino) users registered as Immuta users: Note that the users' Starburst (Trino) usernames must be mapped to Immuta. Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Store audit logs
By default Starburst (Trino) audit logs expire after 90 days. Export the universal audit model (UAM) logs to S3 or ADLS Gen 2, and store audit logs outside of Immuta in order to retain the audit logs long-term.
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
action
The action associated with the audit log.
QUERY
actor.type
The Immuta user type of the actor who made the query.
USER_ACTOR
actor.id
The Immuta user ID of the actor who made the query.
taylor@starburst.com
actor.name
The Immuta name of the user who made the query.
Taylor
actor.identityProvider
The IAM the user is registered in. bim
is the built-in Immuta IAM.
bim
actor.profileId
The profile ID of the user who made the query.
10
actionStatus
Indicates whether or not the user was granted access to the data. Possible values are FAILURE
or SUCCESS
. Unauthorized access is not audited for Starburst (Trino).
SUCCESS
eventTimestamp
The time the query occurred.
2023-06-27T11:03:59.000Z
id
The unique Immuta ID of the audit record. This will match the Trino query ID.
20240221_200952_00200_qhadw
tenantId
The Immuta SaaS tenant ID.
your-immuta.com
targetType
The type of targets affected by the query; this value will always be DATASOURCE
.
DATASOURCE
targets
A list of the targets affected by the query.
See the example below
auditPayload.type
The type of audit record; this value will always be: QueryAuditPayload
.
QueryAuditPayload
auditPayload.queryId
The unique Starburst (Trino) ID of the query.
20240221_200952_00200_qhadw
auditPayload.query
The command text of the query that was run in the integration. Immuta truncates the query text to the first 2048 characters.
select * from lineitem l join orders o on l.orderkey = o.orderkey limit 10
auditPayload.startTime
The date and time the query started in UTC.
2023-06-27T11:03:59.000Z
auditPayload.duration
The time the query took in seconds.
0.557
auditPayload.objectsAccessed
An array of the data sources accessed in the query.
See example below.
auditPayload.objectsAccessed.name
The name of the data source accessed in the query.
\"tpch\".\"tiny\".\"customer\"
auditPayload.objectsAccessed.datasourceId
The Immuta data source ID.
17
auditPayload.objectsAccessed.databaseName
The name of the Starburst (Trino) catalog.
tpch
auditPayload.objectsAccessed.schemaName
The name of the Starburst (Trino) schema.
tiny
auditPayload.objectsAccessed.type
Specifies if the queried data source is a table or view. Starburst (Trino) queries are always LOGICAL_TABLE
, which could be either.
LOGICAL_TABLE
auditPayload.objectsAccessed.columns
An array of the columns accessed in the query.
See example below.
auditPayload.objectsAccessed.columns.name
The name of the column.
custkey
auditPayload.objectsAccessed.columns.tags
An array of the tags on the column.
See example below.
auditPayload.objectsAccessed.columns.securityProfile
See example below.
auditPayload.objectsAccessed.columns.inferred
If true
, the column accessed has been determined by Immuta based on the available audit information from Starburst (Trino) and query parsing. It was not explicitly provided.
true
auditPayload.objectsAccessed.securityProfile
See example below.
auditPayload.technologyContext.type
The technology the query was made in.
TrinoContext
auditPayload.technologyContext.trinoUsername
The Starburst (Trino) user ID for the user who made the query.
taylor@starburst.com
auditPayload.technologyContext.immutaPluginVersion
The version of the Immuta plugin in Starburst (Trino).
437-SNAPSHOT
auditPayload.technologyContext.rowsProduced
The number of rows returned in the query.
3
auditPayload.version
The version of the audit event schema.
1
receivedTimestamp
The timestamp of when the audit event was received and stored by Immuta.
2023-06-27T15:18:22.314Z
objectsAccessed
is not available with Hive or Iceberg views.
columnsAccessed
will include columns related to the query that were not actually accessed in some cases:
For row access policies that rely on a column in the queried table, even if that column was not a part of the query, it will be included in the columnsAccessed
.
For conditional masking, if the policy protects a column accessed, then the conditional column will be included in the columnsAccessed
.
Immuta reports allow data governors to use a natural language builder to instantly create reports that delineate user activity across Immuta. These reports can be based on various entity types, including users, groups, projects, data sources, purposes, policy types, or connection types.
or .
User reports can be run for all users or for individual users who have been registered in Immuta. Non-registered users' activity will not appear in reports.
Data sources subscribed to. This report lists data sources each user is subscribed to and includes user roles, subscription types, when users last subscribed, who approved the users' subscriptions to the data sources, when the subscriptions expire, what attributes the users possess, and the groups the users belong to.
Status of all users. This report lists account information of all users in the system, including the users' full names, usernames, IAMs, HDFS principals, and last login dates.
Groups the user belongs to. This report lists the names of the groups the user belongs to and the dates that groups were joined.
Data sources the user subscribes to. This report details the data source names, the user's roles, when the user last subscribed, who approved the subscriptions, when the subscriptions expire (if applicable), and the reasons for subscribing (if applicable).
Projects the user is currently a member of. This report lists the project names, whether the projects are public or private, the user's roles in the projects, the creator of the projects, when the projects were created, and when the user joined the projects.
All data sources ever accessed by the user. This report lists the data source names, when the data sources were first accessed by the user (or "read date"), and when the data sources were last accessed by the user. By default, this report only displays the last month of results. (You can download the full report by clicking Export to CSV.) The time period can be configured in the date field at the top of report's page.
Attributes the user has. This report lists the current attributes a user has and the values assigned to each attribute.
Purposes for accessing data. This report lists all purposes under which the user has accessed data sources. By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.) The time period can be configured in the date field at the top of the report's page.
Group Reports can be run for all groups or for individual groups.
Data sources that members of this group are subscribed to. This report lists the data source names, the group's role, when the group last subscribed to the data sources, who approved the subscriptions, and the expiration dates (if applicable), and reasons (if applicable) for the subscriptions.
Users who belong to the group. This report lists the names of users and the dates the users joined the group.
Data sources that members of this group are subscribed to. This report lists the data source names, the group's role, when the group last subscribed to the data sources, who approved the subscriptions, and the expiration dates (if applicable), and reasons (if applicable) for the subscriptions.
Projects that users in this group are members of. This report includes the names of the projects, whether the projects are public or private, the group's role in the projects, the names of the project creators, when the projects were created, and when the group joined the projects.
Attributes of the group. This report includes the names of the attributes assigned to this group.
Users and groups who are members of the project. This report includes usernames, email addresses, user roles in the project, when the users joined, and the subscription types. The subscription types may be "Individual User," indicating that the user joined the project directly, or it might be "Group," in which case the name of the group will be stated. Group subscriptions occur when an entire group is added to a project.
Data sources that are part of the project. This report lists the data source names, the reasons given when added to the project (if applicable), the users who added the data sources, and when the data sources were added to the project.
Purpose of the project. This report includes the purpose name, the user who added the purpose, and when the purpose was added to the project.
Data source reports can be run for all data sources or for individual data sources that are registered in Immuta. Activity to non-registered tables will not appear in the reports.
Users and groups subscribed to data sources. This report lists all users and groups subscribed to every data source and includes usernames, email addresses, subscription types, user roles, subscription dates, who approved the subscriptions, expiration dates, and user attributes.
Users and groups subscribed to the data source. This report lists the names of users, reasons for accessing the data sources (if applicable), user roles, email addresses, when users last subscribed, who approved the subscriptions, when the subscriptions expire (if applicable), and the subscription types. A subscription type may be "Individual User," indicating that the user subscribed to the data sources directly, or it might be "Group," in which case the name of the group will be stated. Group subscriptions occur when an entire group is added to a data source.
Projects that contain the data source. This report lists the project names, the users who added the data source to projects, when the data source was added to projects, the reasons for adding the data sources (if applicable), whether the projects are public or private, who created the projects, and when the projects were created.
Purposes of all projects that contain the data source. This report states the purpose names, the users who assigned the purposes to the projects, the dates the purposes were assigned, the names of the projects, the reasons the purposes were added (if applicable), whether the projects are public or private, who created the projects, and when the projects were created.
All users who have accessed the data source. This report lists usernames, email addresses, each user's latest query, and the date of the last access. By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.) The time period can be configured in the date field at the top of report's page.
All purposes for data source access. This report lists users who have accessed the data source and the purposes under which they were working. By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.) The time period can be configured in the date field at the top of report's page.
All users who have subscribed to the data source. This report lists users or groups, email addresses, when users subscribed, reasons for subscriptions (if applicable), who approved the subscriptions, when the subscriptions expire, and the dates and reasons users unsubscribed (if applicable). By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.)
All identifiers for the columns of the data source. This report lists all the identifiers that matched to a column of the data source through sensitive data discovery. It includes information about the column name, the hit percentage, and the number of rows sampled.
Users who are members of projects with this purpose. This report lists usernames, email addresses, their roles in the project, the names of the projects, whether the projects are public or private, the creators of the projects, when the projects were created, when users joined, and their subscription types (individual or group).
Data sources that are part of projects with this purpose. This report lists the names of the data sources, who created the data sources, the project names, whether the projects are public or private, the creators of the projects, whether the projects have other purposes, and when the projects were created. Note that whether projects have other purposes will be assigned as "True" or "False."
Whether any other purposes have been combined with this purpose. This report lists the names of the other purposes combined with the purpose you select, the project name where they are combined, the users who added each purpose, the project creator, whether the project is public or private, and the date the project was created.
Projects that have this purpose. This report lists the names of the projects, the users who added the purpose, whether the projects are public or private, creators of the projects, whether the projects have other purposes, and when the projects were created.
Data sources that have been accessed for this purpose. This report lists the names of the data sources, the users who accessed data sources for this purpose, the project names, and whether projects have other purposes. By default, this report only displays the last month of results, but the time period can be configured in the date field at the top of this report's page.
Data sources with this policy type. Immuta supports a range of policy types, such as masking, WHERE clauses, purpose restrictions, and more. This report lists every data source with this policy type, including when they were created, who created the data sources, who created the policy, and when the policy was created.
Global policy reports can be run for all global policies or for individual global policies.
Global policies that have been disabled. This report details the names of the policies, the policies themselves, the policy types, the data sources from which the policies were disabled, who disabled the policies, when they were disabled, the justifications the users provided for disabling the policies, who created the policies, when the policies were created, and how the policies were associated with the data sources.
Global policies that cannot currently be applied. This report details the names of the policies, the policies themselves, the policy types, the names of the data sources the policies cannot be applied to, when the data sources were created, when the policies were created, the reasons the policies cannot be applied, who created the policies, and how the policies are associated with the data sources.
Data sources impacted by the policy. This report lists the data sources, when the data sources were created, and whether or not the policy is fully applied to the data sources.
Data sources impacted by the policy that have not been certified. This report lists the data sources that have not been certified, when the global policy was applied, and the data owner.
Data sources impacted by the policy that have been certified. This report lists the data sources that have been certified, the user that certified it, when the global policy was applied, and when it was certified.
Data sources with this connection type. This report lists the data sources, each data source's creator, the creation date, and the tables or queries used by the connection selected.
Tag reports can be run for all tags or for individual tags.
Data sources this tag has been assigned to. This report generates a list of data sources associated with that tag and includes the columns tagged, the value types of the data tagged, who tagged the data sources, when the data sources were tagged, and when the data sources were created.
Purposes associated with data sources containing this tag. This report generates a list of purposes under which users have accessed data sources containing this tag. By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.) The time period can be configured in the date field at the top of the report's page.
Users who have accessed data sources containing this tag. This report lists users who have accessed data sources with this tag, their email addresses, when they queried the data, and when the data sources were created.
Projects that contain data with this tag. This report details the projects associated with this tag, whether or not the projects are public or private, when the projects were created, the data sources in the projects, and when the data sources were created.
Users that have subscribed to data sources with any tag. This report lists users, their subscription type, and all of the tags in Immuta with information of whether or not users are subscribed to at least one data source where that tag is applied.
Data sources any tag has been applied to. This report lists data sources with the tags applied to them and the columns they are applied to.
Projects that contain a data source with any tag. This report lists projects and the data sources assigned to them with the tag they have applied.
Columns with SDD tags applied. This report generates a list of all Discovered tags that have been applied to data sources by sensitive data discovery. It includes information about the column it is applied to within each data source and active policies that use the tag.
Columns with legacy SDD tags. This report generates a list of all Discovered tags applied by legacy SDD and provides context if native SDD also found those tags. It includes information about the data sources, columns, and active policies that use the tag.
Snowflake query audit logs is a feature that audits queries that users run natively in Snowflake and presents them in a universal format as Immuta audit logs. Immuta uses the Snowflake QUERY_HISTORY
and ACCESS_HISTORY
tables and translates them into the audit logs that can be viewed at query events in the Immuta UI or . Immuta audits the activity of Immuta users on Immuta data sources.
Snowflake Enterprise Edition or higher
: Note that the users' . Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Store audit logs
By default Snowflake audit logs expire after 90 days. , and store audit logs outside of Immuta in order to retain the audit logs long-term.
Immuta collects audit records at the frequency , which is between 1 and 24 hours. The frequency is a global setting based on integration type, so organizations with multiple Snowflake integrations will have the same audit frequency for all of them. The more frequent the audit records are ingested, the more current the audit records; however, there could be performance and cost impacts from the frequent jobs.
To manually request native query audit ingestion, click Load Audit Events on the Immuta audit page.
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
In addition to the executed Spark plan, the tables, and the tables' underlying paths for every audited Spark job, Immuta captures the code or query that triggers the Spark plan. Immuta audits the activity of Immuta users on Immuta data sources.
: Note that the users' . Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Store audit logs
By default Databricks audit logs expire after 90 days. , and store audit logs outside of Immuta in order to retain the audit logs long-term.
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
Below is an example of the queryText
, which contains the full notebook cell (since the query was the result of a notebook). If the query had been from a JDBC connection, the queryText
would contain the full SQL query.
This notebook cell had multiple audit records associated with it.
Beyond raw audit events (such as “John Doe queried Table X in Databricks"), the Databricks audit records include the policy information enforced during the query execution, even if a query was denied.
Queries will be denied if at least one of the conditions below is true:
User does not meet policy conditions.
User is not subscribed to the data source.
Data source is not in the user's current project.
Data source is in the user's current project, but the user is not subscribed to the data source.
Data source is not registered in Immuta.
The user's entitlements
represent the state at the time of the query. This includes the following fields:
The policySet
includes the following fields:
brings in audit information for all tables and data sources, so some audit logs are created from activity by users not registered in Immuta. These audit records will appear in Immuta, providing valuable information of activity, with the username Unknown. This can be seen on the audit page or in user and data activity dashboards.
While the Immuta user is unknown, the user's Databricks Unity Catalog username can be found within the audit log. To view the user's data platform username:
Navigate to the event page.
Select View JSON.
The username can be found in the auditPayload.technologyContext.account.
username
field.
To improve your future audit records, ensure these users are properly registered and can be named in the logs:
If you have not registered any users, .
If you have registered users but this user was missed, .
If this user is in Immuta but not appearing in the audit record, .
Native query audit for Databricks Unity Catalog captures user data access within Unity Catalog and presents them in a universal format as Immuta audit logs. Multiple access options are supported for audit:
Cluster queries with the following supported languages: SQL, Scala, Python, and R.
SQL warehouse queries
Immuta audits the activity of all Unity Catalog users and tables regardless of whether they are registered in Immuta.
A Databricks deployment with capabilities
Store audit logs
By default Databricks Unity Catalog audit logs expire after 90 days. , and store audit logs outside of Immuta in order to retain the audit logs long-term.
Immuta collects audit records at the frequency , which is between 1 and 24 hours. The frequency is a global setting based on integration type, so organizations with multiple Unity Catalog integrations will have the same audit frequency for all of them. The more frequent the audit records are ingested, the more current the audit records; however, there could be performance and cost impacts from the frequent jobs. Immuta will start a Databricks cluster to complete the audit ingest job if one is not already running.
To manually prompt the native query audit, click Load Audit Events on the Immuta audit page.
Immuta audits all data sources and users in Unity Catalog. An administrator can configure the integration to just ingest specific workspaces when .
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
Enrichment of audit logs with Immuta entitlements information is not supported. While you will see these entitlements in the Databricks Spark audit logs, the following will not be in the native query audit for Unity Catalog:
Immuta policies information
User attributes
Groups
Immuta determines unauthorized events based on error messages within Unity Catalog records. When the error messages contain expected language, unauthorized events will be available for native query audit for Unity Catalog. In other cases, it is not possible to determine the cause of an error.
Audit for cluster queries do not support UNAUTHORIZED
status. If a cluster query is unauthorized, it will show FAILURE
.
Data source information will be provided when available:
For some queries, Databricks Unity Catalog does not report the target data source for the data access operation. In these cases the activity is audited, yet the audit record in Immuta will not include the target data source information.
Data source information is not available for unauthorized queries and events.
Column information from the query is not currently supported.
Details about the sensitivity of the column. Available when .
A classification for all the columns accessed together. Available when .
Immuta audit records include unregistered data sources and users; however, activity from them will not appear in any .
project
The user's current project.
attributes
The user's attributes.
groups
The user's groups.
impersonatedUsers
The user that the current user is impersonating.
subscriptionPolicyType
The type of subscription policy.
MANUAL
, ADVANCED
, or ENTITLEMENTS
type
Indicates whether the policy is a subscription or data policy. Query denied records will always be a subscription policy type
.
SUBSCRIPTION
or DATA
ruleAppliedForUser
True if the policy was applied for the user. If false
, the user was an exception to the policy.
true
or false
rationale
The policy rationale written by the policy creator.
-
global
True if the policy was a global policy. If false
, the policy is local.
true
or false
mergedPolicies
Shows the policy information for each of the merged global subscription policies, if available.
-
action
The action associated with the audit log.
QUERY
actor.type
The Immuta user type of the actor who made the query. When the actor is not registered with Immuta, the type
, id
, and name
fields will be unknown
.
USER_ACTOR
actor.id
The Immuta user ID of the actor who made the query. When the actor is not registered with Immuta, the type
, id
, and name
fields will be unknown
.
taylor@databricks.com
actor.name
The Immuta name of the user who made the query. When the user is not registered with Immuta, the type
, id
, and name
fields will be unknown
.
Taylor
actor.identityProvider
The IAM the user is registered in. bim
is the built-in Immuta IAM. When the user is not registered with Immuta, this field will be omitted.
bim
actor.profileId
The profile ID of the user who made the query. When the user is not registered with Immuta, this field will be omitted.
10
sessionId
The session ID of the user who performed the action.
01ee14d9-cab3-1ef6-9cc4-f0c315a53788
requestId
The API request ID that triggered the action, if applicable.
504b8fd9-38c1-4a90-966e-7445a6675f79
actionStatus
Indicates whether or not the user was granted access to the data. Possible values are UNAUTHORIZED
, FAILURE
, or SUCCESS
.
SUCCESS
actionStatusReason
When available, the reason from Unity Catalog that the user’s query was denied.
null
if actionStatus is SUCCESS
eventTimestamp
The time the query occurred.
2023-06-27T11:03:59.000Z
id
The unique ID of the audit record.
9f542dfd-5099-4362-a72d-8377306db3b8
tenantId
The Immuta SaaS tenant ID.
your-immuta.com
userAgent
Client information of the user who made the query.
-
targetType
The type of targets affected by the query; this value will always be DATASOURCE
.
DATASOURCE
targets
A list of the targets affected by the query.
See the example below
auditPayload.type
The type of audit record; this value will always be: QueryAuditPayload
.
QueryAuditPayload
auditPayload.queryId
The unique ID of the query. If the query joins multiple tables, each table will appear as a separate log, but all will have the same query ID.
01ee14da-517a-1670-afce-0c3e0fdcf7d4
auditPayload.query
The command text of the query that was run in the integration. Immuta truncates the query text to the first 2048 characters.
SELECT VERSION AS 'version' FROM 'sample-data'.'__immuta_version'
auditPayload.startTime
The date and time the query started in UTC.
2023-06-27T11:03:59.000Z
auditPayload.duration
The time the query took in seconds.
0.557
auditPayload.errorCode
The errorCode
for the denied query.
null
if actionStatus is SUCCESS
auditPayload.technologyContext.type
The technology the query was made in.
DatabricksContext
auditPayload.technologyContext.clusterId
The Unity Catalog cluster ID.
null
auditPayload.technologyContext.workspaceId
The Unity Catalog workspace ID.
8765531160949612
auditPayload.technologyContext.service
Where in Unity Catalog the query was made. Possible values are SQL
for SQL warehouses and NOTEBOOK
for notebooks.
SQL
auditPayload.technologyContext.warehouseId
The Unity Catalog warehouse ID.
559483c6eac0359f
auditPayload.technologyContext.notebookId
The Unity Catalog notebook ID.
869500255746458
auditPayload.technologyContext.account.id
The actor’s Unity Catalog account ID
52e863bc-ea7f-46a9-8e17-6aed7541832d
auditPayload.technologyContext.account.username
The actor’s Unity Catalog username.
taylor@databricks.com
auditPayload.technologyContext.host
The Unity Catalog host.
deployment-name.cloud.databricks.com
auditPayload.technologyContext.clientIp
The IP address of the Spark cluster the request is coming from.
0.0.0.0
auditPayload.objectsAccessed
The Unity Catalog objects accessed.
[]
auditPayload.securityProfile.sensitivity.score
The sensitivity score of the query. Classification must be configured for this field.
INDETERMINATE
auditPayload.version
The version of the audit event schema.
1
receivedTimestamp
The timestamp of when the audit event was received and stored by Immuta.
2023-06-27T15:18:22.314Z
action
The action associated with the audit log.
QUERY
actor.type
The Immuta user type of the actor who made the query.
USER_ACTOR
actor.id
The Immuta user ID of the actor who made the query.
taylor@snowflake.com
actor.name
The Immuta name of the user who made the query.
Taylor
actor.identityProvider
The IAM the user is registered in. bim
is the built-in Immuta IAM.
bim
sessionId
The session ID of the user who performed the action.
01ee14d9-cab3-1ef6-9cc4-f0c315a53788
actionStatus
Indicates whether or not the user was granted access to the data. Possible values are UNAUTHORIZED
, FAILURE
, or SUCCESS
.
SUCCESS
actionStatusReason
When available, the reason from Unity Catalog that the user’s query was denied.
null
if actionStatus is SUCCESS
eventTimestamp
The time the query occurred.
2023-06-27T11:03:59.000Z
id
The unique ID of the audit record.
9f542dfd-5099-4362-a72d-8377306db3b8
userAgent
Client information of the user who made the query.
Snowflake Web App
tenantId
The Immuta SaaS tenant ID.
your-immuta.com
targetType
The type of targets affected by the query; this value will always be DATASOURCE
.
DATASOURCE
targets
A list of the targets affected by the query.
See the example below
auditPayload.type
The type of audit record; this value will always be: QueryAuditPayload
.
QueryAuditPayload
auditPayload.queryId
The unique ID of the query. If the query joins multiple tables, each table will appear as a separate log, but all will have the same query ID.
01ee14da-517a-1670-afce-0c3e0fdcf7d4
auditPayload.query
The command text of the query that was run in the integration. Immuta truncates the query text to the first 2048 characters.
SELECT VERSION AS 'version' FROM 'sample-data'.'__immuta_version'
auditPayload.startTime
The date and time the query started in UTC.
2023-06-27T11:03:59.000Z
auditPayload.duration
The time the query took in seconds.
0.557
auditPayload.errorCode
The errorCode
for the denied query.
null
if actionStatus is SUCCESS
auditPayload.technologyContext.type
The technology the query was made in.
SnowflakeContext
auditPayload.technologyContext.host
The host that the integration is connected to.
your-hostname.snowflake.computing.com
auditPayload.technologyContext.snowflakeUsername
The user's Snowflake username.
taylor@snowflake.com
auditPayload.technologyContext.rowsProduced
The number of rows returned in the query. Note that rows produced will show 0
for cached queries.
3
auditPayload.technologyContext.roleName
The Snowflake role the user used to make the query.
ACCOUNTADMIN
auditPayload.technologyContext.warehouseId
The ID of the warehouse where the query was made.
null
auditPayload.technologyContext.warehouseName
The name of the warehouse where the query was made.
null
auditPayload.technologyContext.clusterNumber
The number of the cluster where the query was made.
0
auditPayload.objectsAccessed
An array of the data sources accessed in the query.
See example below.
auditPayload.objectsAccessed.name
The name of the data source accessed in the query.
\"tpch\".\"tiny\".\"customer\"
auditPayload.objectsAccessed.datasourceId
The Immuta data source ID.
17
auditPayload.objectsAccessed.databaseName
The name of the Snowflake database.
tpch
auditPayload.objectsAccessed.schemaName
The name of the Snowflake schema.
tiny
auditPayload.objectsAccessed.type
Specifies if the queried data source is a table or view.
TABLE
auditPayload.objectsAccessed.columns
An array of the columns accessed in the query.
See example below.
auditPayload.objectsAccessed.columns.name
The name of the column.
custkey
auditPayload.objectsAccessed.columns.tags
An array of the tags on the column.
See example below.
auditPayload.objectsAccessed.columns.securityProfile
Details about the sensitivity of the column. Available when classification frameworks are configured.
See example below.
auditPayload.objectsAccessed.columns.inferred
If true
, the column accessed has been determined by Immuta using query parsing; false
if it is explicitly provided.
false
auditPayload.objectsAccessed.securityProfile
A classification for all the columns accessed together. Available when classification frameworks are configured.
See example below.
auditPayload.securityProfile.sensitivity.score
The sensitivity score of the query. Classification must be configured for this field.
INDETERMINATE
receivedTimestamp
The timestamp of when the audit event was received and stored by Immuta.
2023-06-27T15:18:22.314Z
action
The action associated with the audit log.
QUERY
actor.type
The Immuta user type of the actor who made the query.
USER_ACTOR
actor.id
The Immuta user ID of the actor who made the query.
taylor@databricks.com
actor.name
The Immuta name of the user who made the query.
Taylor
actor.identityProvider
The IAM the user is registered in. bim
is the built-in Immuta IAM.
bim
sessionId
The session ID of the user who performed the action.
01ee14d9-cab3-1ef6-9cc4-f0c315a53788
actionStatus
Indicates whether or not the user was granted access to the data. Possible values are UNAUTHORIZED
, FAILURE
, or SUCCESS
.
SUCCESS
actionStatusReason
When a user's query is denied, this property explains why. When a query is successful, this value is null
.
eventTimestamp
The time the query occurred.
2023-06-27T11:03:59.000Z
id
The unique ID of the audit record.
9f542dfd-5099-4362-a72d-8377306db3b8
customerId
The unique Databricks customer ID.
9f542dfd-5099-4362-a72d-8377306db3b8
targetType
The type of targets affected by the query; this value will always be DATASOURCE
.
DATASOURCE
targets
A list of the targets affected by the query.
See the example below
auditPayload.type
The type of audit record; this value will always be: QueryAuditPayload
.
QueryAuditPayload
auditPayload.queryId
The unique ID of the query. If the query joins multiple tables, each table will appear as a separate log, but all will have the same query ID.
01ee14da-517a-1670-afce-0c3e0fdcf7d4
auditPayload.query
The query that was run in the integration. Immuta truncates the query text to the first 2048 characters.
See the example below
auditPayload.startTime
The date and time the query started in UTC.
2023-06-27T11:03:59.000Z
auditPayload.duration
Not available for Databricks Spark audit events.
null
auditPayload.accessControls
Includes the user's groups, attributes, and current project at the time of the query.
auditPayload.policySet
Provides policy details.
auditPayload.technologyContext.type
The technology the query was made in.
DatabricksContext
auditPayload.technologyContext.clusterId
The Databricks cluster ID.
null
auditPayload.technologyContext.clusterName
The Databricks cluster name.
databricks-cluster-name
auditPayload.technologyContext.workspaceId
The Databricks workspace ID.
8765531160949612
auditPayload.technologyContext.pathUris
The Databricks URI scheme for the storage type.
["dbfs:/user/hive/warehouse/your_database.db/movies"]
auditPayload.technologyContext.metastoreTables
The Databricks metastore tables.
["your_database.movies"]
auditPayload.technologyContext.queryLanguage
The queryLanguage
corresponds to the programming language used: SQL, Python, Scala, or R. Audited JDBC queries will indicate that it came from JDBC here.
python
auditPayload.technologyContext.queryText
The queryText
will contain either the full notebook cell (when the query is the result of a notebook) or the full SQL query (when it is a query from a JDBC connection).
See the example below
auditPayload.technologyContext.immutaPluginVersion
The Immuta plugin version for the Databricks Spark integration.
2022.3.0-spark-3.1.1
receivedTimestamp
The timestamp of when the audit event was received and stored by Immuta.
2023-06-27T15:18:22.314Z
Universal audit model (UAM) is Immuta's consistent structure for all Immuta system and user query audit logs. This reference guide provides example schemas of all the UAM events available in Immuta.
There are some parameter details throughout to help better understand the UAM schemas. But there are two important parameters to each event:
targetType
: Informs the Immuta object that's the target of the action being audited. This will specify if it was a user, project, policy, etc. being affected by the action.
action
: Informs the base action being performed on the target. This will specify if something was created, deleted, updated, etc.
To learn more about Immuta's audit, see the UAM reference page or view the examples below.
API keys
Audit events for managing API keys.
Attributes
Audit events for managing attributes.
Configuration
An audit event for Immuta configuration changes.
Data sources
Audit events for actions on data sources and their policies.
Domains
Audit events for managing domains, domain policies, and domain permissions.
Global policies
Audit events for managing global policies.
Groups
Audit events for managing Immuta groups and group members.
License
Audit events for managing Immuta licenses.
Local policies
Audit events for managing local policies.
Permissions
Audit events for managing user permissions.
Policy adjustments
Audit events for managing policy adjustments in a project.
Projects
Audit events for managing projects and their purposes.
Purposes
Audit events for managing purposes.
Queries
Audit events for user queries within data platforms.
Sensitive data discovery (SDD)
Audit events for managing and running SDD.
Tags
Audit events for managing tags and their application.
Users
Audit events for user actions, managing users, and managing the objects users are subscribed to in Immuta.
Webhooks
Audit events for managing webhooks.
Event: ApiKeyCreated
Legacy event: apiKey
Description: An audit event for when an API key is created on the Immuta app settings page or from an Immuta user's profile page.
Event: ApiKeyDeleted
Legacy event: apiKey
Description: An audit event for when an API key is deleted on the Immuta app settings page or from an Immuta user's profile page.
Event: AttributeApplied
Legacy events: accessUser
and accessGroup
Description: An audit event for an attribute applied to a group or user.
Additional parameter details: targetType
will specify whether the attribute was added to a USER
or GROUP
.
Event: AttributeRemoved
Legacy events: accessUser
and accessGroup
Description: An audit event for an attribute removed from a group or user.
Additional parameter details: targetType
will specify whether the attribute was removed from a USER
or GROUP
.
Event: ConfigurationUpdated
Legacy event: configurationUpdate
Description: An audit event for updates to the configuration on the Immuta app settings page.
Event: DatasourceAppliedToProject
Legacy event: addToProject
Description: An audit event for adding a data source to an Immuta project.
Event: DatasourceCatalogSynced
Legacy event: catalogUpdate
Description: An audit event for syncing an external catalog to tag Immuta data sources.
Event: DatasourceCreated
Legacy event: dataSourceCreate
Description: An audit event for registering a table as an Immuta data source.
Event: DatasourceDeleted
Legacy event: dataSourceDelete
Description: An audit event for deleting a data source in Immuta.
Event: DatasourceDisabled
Legacy event: None
Description: An audit event for disabling a data source in Immuta.
Event: DatasourceGlobalPolicyApplied
Legacy event: globalPolicyApplied
Description: An audit event for applying a global policy to a data source.
Event: DatasourceGlobalPolicyConflictResolved
Legacy event: globalPolicyConflictResolved
Description: An audit event for a global policy conflict being resolved on a data source.
Event: DatasourceGlobalPolicyDisabled
Legacy event: globalPolicyDisabled
Description: An audit event for a data owner disabling a global policy from their data source.
Event: DatasourceGlobalPolicyRemoved
Legacy event: globalPolicyRemoved
Description: An audit event for a data owner removing a global policy from their data source.
Event: DatasourcePolicyCertificationExpired
Legacy event: policyCertificationExpired
Description: An audit event for a global policy certification expiring on a data source.
Event: DatasourcePolicyCertified
Legacy event: globalPolicyCertify
Description: An audit event for a global policy being certified by a data owner for their data source.
Event: DatasourcePolicyDecertified
Legacy events: None
Description: An audit event for a global policy being decertified on a data source.
Event: DatasourceRemovedFromProject
Legacy event: removeFromProject
Description: An audit event for removing a data source from a project.
Event: DatasourceUpdated
Legacy events: dataSourceUpdate
and dataSourceSave
Description: An audit event for updating a data source with the new data source details.
Event: DomainCreated
Legacy event: collectionCreated
Description: An audit event for creating a domain.
Event: DomainDataSourcesUpdated
Legacy events: collectionDataSourceAdded
, collectionDataSourceRemoved
, and collectionDataSourceUpdated
Description: An audit event for updating a domain's data sources.
Additional parameter details: auditPayload.updateType will specify whether the data source was added to or removed from the domain.
Event: DomainDeleted
Legacy event: collectionDeleted
Description: An audit event for deleting a domain.
Event: DomainPermissionsUpdated
Legacy events: collectionPermissionGranted
and collectionPermissionRevoked
Description: An audit event for granting or revoking a user's domain-related permissions.
Additional parameter details: auditPayload.updateType will specify whether the permission was granted to or revoked from a user.
Event: DomainUpdated
Legacy event: collectionUpdated
Description: An audit event for updating an Immuta domain.
Event: GlobalPolicyApprovalRescinded
Legacy event: globalPolicyApprovalRescinded
Description: An audit event for a global policy approval rescinded in the approve to promote workflow.
Event: GlobalPolicyApproved
Legacy event: globalPolicyApproved
Description: An audit event for a global policy approved in the approve to promote workflow.
Event: GlobalPolicyChangeRequested
Legacy event: globalPolicyChangeRequested
Description: An audit event for requested edits on a global policy in the approve to promote workflow.
Event: GlobalPolicyCreated
Legacy event: globalPolicyCreate
Description: An audit event for creating a global policy.
Event: GlobalPolicyDeleted
Legacy event: globalPolicyDelete
Description: An audit event for deleting a global policy.
Event: GlobalPolicyPromoted
Legacy event: globalPolicyPromoted
Description: An audit event for when a global policy is fully approved and promoted to production in the approve to promote workflow.
Event: GlobalPolicyReviewRequested
Legacy event: globalPolicyReviewRequested
Description: An audit event for when a global policy is ready and requests a review in the approve to promote workflow.
Event: GlobalPolicyUpdated
Legacy event: globalPolicyUpdate
Description: An audit event for a global policy being updated with details about the policy.
Event: GroupCreated
Legacy event: accessGroup
Description: An audit event for a group created in Immuta.
Event: GroupDeleted
Legacy event: accessGroup
Description: An audit event for a group deleted in Immuta.
Event: GroupMemberAdded
Legacy event: accessGroup
Description: An audit event for a member added to a group in Immuta.
Event: GroupMemberRemoved
Legacy event: accessGroup
Description: An audit event for a group member removed from the group in Immuta.
Event: GroupUpdated
Legacy event: accessGroup
Description: An audit event for a group updated in Immuta.
Event: LicenseCreated
Legacy event: licenseCreate
Description: An audit event for creating an Immuta license.
Event: LicenseDeleted
Legacy event: licenseDelete
Description: An audit event for deleting an Immuta license.
Event: LocalPolicyCreated
Legacy event: policyHandlerCreate
Description: An audit event for creating a local policy for an Immuta data source.
Event: LocalPolicyUpdated
Legacy event: policyHandlerUpdate
Description: An audit event for updating a local policy on an Immuta data source.
Event: PermissionApplied
Legacy event: accessUser
Description: An audit event for a permission applied to an Immuta user.
Event: PermissionRemoved
Legacy event: accessUser
Description: An audit event for a permission removed from an Immuta user.
Event: PolicyAdjustmentCreated
Legacy event: policyAdjustmentCreate
Description: An audit event for creating a policy adjustment in an Immuta project.
Event: PolicyAdjustmentDeleted
Legacy event: policyAdjustmentDelete
Description: An audit event for deleting a policy adjustment in an Immuta project.
Event: ProjectCreated
Legacy event: projectCreate
Description: An audit event for creating a project in Immuta.
Event: ProjectDeleted
Legacy event: projectDelete
Description: An audit event for deleting a project in Immuta.
Event: ProjectDisabled
Legacy events: None
Description: An audit event for disabling a project in Immuta.
Event: ProjectPurposeApproved
Legacy event: projectPurposeApprove
Description: An audit event for approving a purpose for a project in Immuta.
Event: ProjectPurposeDenied
Legacy event: projectPurposeDeny
Description: An audit event for denying a purpose for a project in Immuta.
Event: ProjectPurposesAcknowledged
Legacy event: acknowledgePurposes
Description: An audit event for acknowledging a purpose for a project in Immuta.
Event: ProjectUpdated
Legacy event: projectPurposeDeny
Description: An audit event for updating a project in Immuta.
Event: PurposeDeleted
Legacy event: purposeDelete
Description: An audit event for deleting a purpose in Immuta.
Event: PurposeUpdated
Legacy event: purposeUpdate
Description: An audit event for updating a purpose in Immuta.
Event: PurposeUpserted
Legacy event: purposeCreate
Description: An audit event for creating a purpose in Immuta.
Event: SDDClassifierCreated
Legacy event: sddClassifierCreated
Description: An audit event for creating a sensitive data discovery (SDD) column name regex, regex, or dictionary identifier.
Additional parameter details:
auditPayload.config.columnNameRegex: For column name regex identifiers, the regex to match against column names.
auditPayload.config.values: For dictionary identifiers, the values within the dictionary to match against column values.
auditPayload.config.regex: For regex identifiers, the regex to match against column values.
Event: SDDClassifierDeleted
Legacy event: sddClassifierDeleted
Description: An audit event for deleting a sensitive data discovery (SDD) identifier.
Event: SDDClassifierUpdated
Legacy event: sddClassifierUpdated
Description: An audit event for updating a sensitive data discovery (SDD) column name regex, regex, or dictionary identifier.
Additional parameter details:
auditPayload.config.columnNameRegex: For column name regex identifiers, the regex to match against column names.
auditPayload.config.values: For dictionary identifiers, the values within the dictionary to match against column values.
auditPayload.config.regex: For regex identifiers, the regex to match against column values.
Event: SDDDatasourceTagUpdated
Legacy event: sddDatasourceTagUpdate
Description: An audit event for the results from a sensitive data discovery (SDD) run that updates the tags on Immuta data sources.
Event: SDDTemplateApplied
Legacy event: sddTemplateApplied
Description: An audit event for applying an identification framework to data sources.
Event: SDDTemplateCloned
Legacy event: sddTemplateCreated
Description: An audit event for cloning an identification framework from another framework.
Event: SDDTemplateCreated
Legacy event: sddTemplateCreated
Description: An audit event for creating an identification framework.
Event: SDDTemplateDeleted
Legacy event: sddTemplateDeleted
Description: An audit event for deleting an identification framework.
Event: SDDTemplateUpdated
Legacy event: sddTemplateUpdated
Description: An audit event for updating an identification framework.
Event: SubscriptionCreated
Legacy events: dataSourceSubscription
and projectSubscription
Description: An audit event for subscribing a user to a data source or project.
Additional parameter details: auditPayload.modelType will specify whether the user was subscribed to a DATASOURCE
or PROJECT
.
Event: SubscriptionUpdated
Legacy events: dataSourceSubscription
and projectSubscription
Description: An audit event for removing a user's subscription to a data source or project.
Additional parameter details: auditPayload.modelType will specify whether the user's subscription was removed from a DATASOURCE
or PROJECT
.
Event: SubscriptionUpdated
Legacy events: dataSourceSubscription
and projectSubscription
Description: An audit event for a user's request to subscribe to a data source or project.
Additional parameter details: targets.model.type will specify whether the subscription was approved for a DATASOURCE
or PROJECT
.
Event: SubscriptionUpdated
Legacy events: dataSourceSubscription
and projectSubscription
Description: An audit event for denying a user's request to subscribe to a data source or project.
Additional parameter details: auditPayload.modelType will specify whether the user's subscription was denied for a DATASOURCE
or PROJECT
.
Event: SubscriptionRequested
Legacy events: dataSourceSubscription
and projectSubscription
Description: An audit event for a user requesting to subscribe to a data source or project.
Additional parameter details: auditPayload.modelType will specify whether the user requested to subscribe to a DATASOURCE
or PROJECT
.
Event: SubscriptionUpdated
Legacy events: dataSourceSubscription
and projectSubscription
Description: An audit event for a user subscribing to a data source or project.
Additional parameter details: targets.model.type will specify whether the subscription was updated on a DATASOURCE
or PROJECT
.
Event: TagApplied
Legacy event: tagAdded
Description: An audit event for applying a tag to an object in Immuta.
Event: TagCreated
Legacy event: tagCreated
Description: An audit event for creating a tag in Immuta.
Event: TagDeleted
Legacy event: tagDeleted
Description: An audit event for deleting a tag in Immuta.
Event: TagRemoved
Legacy event: tagRemoved
Description: An audit event for removing a tag from an object in Immuta.
Event: TagUpdated
Legacy event: tagUpdated
Description: An audit event for updating a tag in Immuta.
Event: UserAuthenticated
Legacy event: authenticate
Description: An audit event for a user authenticating in Immuta.
Additional parameter details: authenticationMethod
possible values include
OAuth
: The user authenticated using the 3rd party authentication OAuth.
OpenId
: The user authenticated using the 3rd party authentication OpenId.
SAML
: The user authenticated using the 3rd party authentication SAML.
apiKey
: The user authenticated or impersonated using an API key.
password
: The user authenticated with username and password.
Event: UserCloned
Legacy event: accessUser
Description: An audit event for creating a new user in Immuta by cloning an existing user.
Event: UserCreated
Legacy event: accessUser
Description: An audit event for creating a new user in Immuta.
Event: UserDeleted
Legacy event: accessUser
Description: An audit event for deleting a user in Immuta.
Event: UserLogout
Legacy events: None
Description: An audit event for a user logging out of Immuta.
Additional parameter details:
authenticationMethod
possible values include
OAuth
: The user authenticated using the 3rd party authentication OAuth.
OpenId
: The user authenticated using the 3rd party authentication OpenId.
SAML
: The user authenticated using the 3rd party authentication SAML.
apiKey
: The user authenticated or impersonated using an API key.
password
: The user authenticated with username and password.
logoutReason
possible values include
EXPIRATION
: The user was logged out because the token expired.
IDP_INITIATED
: The IdP initiated the logout.
USER_LOGOUT_TRIGGERED
: The user manually logged out.
Event: UserOneTimeTokenCreated
Legacy event: accessUser
Description: An audit event for creating a single use login token for a user.
Event: UserPasswordUpdated
Legacy event: accessUser
Description: An audit event for updating a user's Immuta password.
Event: UserUpdated
Legacy event: externalUserIdChanged
Description: An audit event for updating user details in Immuta.
Event: WebhookCreated
Legacy event: webhookCreate
Description: An audit event for creating an Immuta webhook.
Event: WebhookDeleted
Legacy event: webhookDelete
Description: An audit event for deleting an Immuta webhook.
DatabricksQuery: Available for or