Immuta reports allow data governors to use a natural language builder to instantly create reports that delineate user activity across Immuta. These reports can be based on various entity types, including users, groups, projects, data sources, purposes, policy types, or connection types.
User reports can be run for all users or for individual users who have been registered in Immuta. Non-registered users' activity will not appear in reports.
All users report option
Data sources subscribed to. This report lists data sources each user is subscribed to and includes user roles, subscription types, when users last subscribed, who approved the users' subscriptions to the data sources, when the subscriptions expire, what attributes the users possess, and the groups the users belong to.
Status of all users. This report lists account information of all users in the system, including the users' full names, usernames, IAMs, HDFS principals, and last login dates.
Individual user report options
Groups the user belongs to. This report lists the names of the groups the user belongs to and the dates that groups were joined.
Data sources the user subscribes to. This report details the data source names, the user's roles, when the user last subscribed, who approved the subscriptions, when the subscriptions expire (if applicable), and the reasons for subscribing (if applicable).
Projects the user is currently a member of. This report lists the project names, whether the projects are public or private, the user's roles in the projects, the creator of the projects, when the projects were created, and when the user joined the projects.
All data sources ever accessed by the user. This report lists the data source names, when the data sources were first accessed by the user (or "read date"), and when the data sources were last accessed by the user. By default, this report only displays the last month of results. (You can download the full report by clicking Export to CSV.) The time period can be configured in the date field at the top of report's page.
Attributes the user has. This report lists the current attributes a user has and the values assigned to each attribute.
Purposes for accessing data. This report lists all purposes under which the user has accessed data sources. By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.) The time period can be configured in the date field at the top of the report's page.
Group reports options
Group Reports can be run for all groups or for individual groups.
All groups report option
Data sources that members of this group are subscribed to. This report lists the data source names, the group's role, when the group last subscribed to the data sources, who approved the subscriptions, and the expiration dates (if applicable), and reasons (if applicable) for the subscriptions.
Individual group report options
Users who belong to the group. This report lists the names of users and the dates the users joined the group.
Data sources that members of this group are subscribed to. This report lists the data source names, the group's role, when the group last subscribed to the data sources, who approved the subscriptions, and the expiration dates (if applicable), and reasons (if applicable) for the subscriptions.
Projects that users in this group are members of. This report includes the names of the projects, whether the projects are public or private, the group's role in the projects, the names of the project creators, when the projects were created, and when the group joined the projects.
Attributes of the group. This report includes the names of the attributes assigned to this group.
Project reports options
Users and groups who are members of the project. This report includes usernames, email addresses, user roles in the project, when the users joined, and the subscription types. The subscription types may be "Individual User," indicating that the user joined the project directly, or it might be "Group," in which case the name of the group will be stated. Group subscriptions occur when an entire group is added to a project.
Data sources that are part of the project. This report lists the data source names, the reasons given when added to the project (if applicable), the users who added the data sources, and when the data sources were added to the project.
Purpose of the project. This report includes the purpose name, the user who added the purpose, and when the purpose was added to the project.
Data source reports options
Data source reports can be run for all data sources or for individual data sources that are registered in Immuta. Activity to non-registered tables will not appear in the reports.
All data sources report option
Users and groups subscribed to data sources. This report lists all users and groups subscribed to every data source and includes usernames, email addresses, subscription types, user roles, subscription dates, who approved the subscriptions, expiration dates, and user attributes.
Individual data source reports options
Users and groups subscribed to the data source. This report lists the names of users, reasons for accessing the data sources (if applicable), user roles, email addresses, when users last subscribed, who approved the subscriptions, when the subscriptions expire (if applicable), and the subscription types. A subscription type may be "Individual User," indicating that the user subscribed to the data sources directly, or it might be "Group," in which case the name of the group will be stated. Group subscriptions occur when an entire group is added to a data source.
Projects that contain the data source. This report lists the project names, the users who added the data source to projects, when the data source was added to projects, the reasons for adding the data sources (if applicable), whether the projects are public or private, who created the projects, and when the projects were created.
Purposes of all projects that contain the data source. This report states the purpose names, the users who assigned the purposes to the projects, the dates the purposes were assigned, the names of the projects, the reasons the purposes were added (if applicable), whether the projects are public or private, who created the projects, and when the projects were created.
All users who have accessed the data source. This report lists usernames, email addresses, each user's latest query, and the date of the last access. By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.) The time period can be configured in the date field at the top of report's page.
All purposes for data source access. This report lists users who have accessed the data source and the purposes under which they were working. By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.) The time period can be configured in the date field at the top of report's page.
All users who have subscribed to the data source. This report lists users or groups, email addresses, when users subscribed, reasons for subscriptions (if applicable), who approved the subscriptions, when the subscriptions expire, and the dates and reasons users unsubscribed (if applicable). By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.)
All identifiers for the columns of the data source. This report lists all the identifiers that matched to a column of the data source through sensitive data discovery. It includes information about the column name, the hit percentage, and the number of rows sampled.
Purpose reports options
Users who are members of projects with this purpose. This report lists usernames, email addresses, their roles in the project, the names of the projects, whether the projects are public or private, the creators of the projects, when the projects were created, when users joined, and their subscription types (individual or group).
Data sources that are part of projects with this purpose. This report lists the names of the data sources, who created the data sources, the project names, whether the projects are public or private, the creators of the projects, whether the projects have other purposes, and when the projects were created. Note that whether projects have other purposes will be assigned as "True" or "False."
Whether any other purposes have been combined with this purpose. This report lists the names of the other purposes combined with the purpose you select, the project name where they are combined, the users who added each purpose, the project creator, whether the project is public or private, and the date the project was created.
Projects that have this purpose. This report lists the names of the projects, the users who added the purpose, whether the projects are public or private, creators of the projects, whether the projects have other purposes, and when the projects were created.
Data sources that have been accessed for this purpose. This report lists the names of the data sources, the users who accessed data sources for this purpose, the project names, and whether projects have other purposes. By default, this report only displays the last month of results, but the time period can be configured in the date field at the top of this report's page.
Policy type reports option
Data sources with this policy type. Immuta supports a range of policy types, such as masking, WHERE clauses, purpose restrictions, and more. This report lists every data source with this policy type, including when they were created, who created the data sources, who created the policy, and when the policy was created.
Global policy reports options
Global policy reports can be run for all global policies or for individual global policies.
All global policies report options
Global policies that have been disabled. This report details the names of the policies, the policies themselves, the policy types, the data sources from which the policies were disabled, who disabled the policies, when they were disabled, the justifications the users provided for disabling the policies, who created the policies, when the policies were created, and how the policies were associated with the data sources.
Global policies that cannot currently be applied. This report details the names of the policies, the policies themselves, the policy types, the names of the data sources the policies cannot be applied to, when the data sources were created, when the policies were created, the reasons the policies cannot be applied, who created the policies, and how the policies are associated with the data sources.
Individual global policy reports option
Data sources impacted by the policy. This report lists the data sources, when the data sources were created, and whether or not the policy is fully applied to the data sources.
Data sources impacted by the policy that have not been certified. This report lists the data sources that have not been certified, when the global policy was applied, and the data owner.
Data sources impacted by the policy that have been certified. This report lists the data sources that have been certified, the user that certified it, when the global policy was applied, and when it was certified.
Connection reports option
Data sources with this connection type. This report lists the data sources, each data source's creator, the creation date, and the tables or queries used by the connection selected.
Tag reports options
Tag reports can be run for all tags or for individual tags.
All tag reports options
Data sources this tag has been assigned to. This report generates a list of data sources associated with that tag and includes the columns tagged, the value types of the data tagged, who tagged the data sources, when the data sources were tagged, and when the data sources were created.
Purposes associated with data sources containing this tag. This report generates a list of purposes under which users have accessed data sources containing this tag. By default, this report only displays the last month of results. (The full report can be downloaded by clicking Export to CSV.) The time period can be configured in the date field at the top of the report's page.
Users who have accessed data sources containing this tag. This report lists users who have accessed data sources with this tag, their email addresses, when they queried the data, and when the data sources were created.
Projects that contain data with this tag. This report details the projects associated with this tag, whether or not the projects are public or private, when the projects were created, the data sources in the projects, and when the data sources were created.
Individual tag options
Users that have subscribed to data sources with any tag. This report lists users, their subscription type, and all of the tags in Immuta with information of whether or not users are subscribed to at least one data source where that tag is applied.
Data sources any tag has been applied to. This report lists data sources with the tags applied to them and the columns they are applied to.
Projects that contain a data source with any tag. This report lists projects and the data sources assigned to them with the tag they have applied.
Sensitive data discovery reports options
Columns with SDD tags applied. This report generates a list of all Discovered tags that have been applied to data sources by sensitive data discovery. It includes information about the column it is applied to within each data source and active policies that use the tag.
Columns with legacy SDD tags. This report generates a list of all Discovered tags applied by legacy SDD and provides context if native SDD also found those tags. It includes information about the data sources, columns, and active policies that use the tag.
Universal Audit Model (UAM)
Immuta’s universal audit model (UAM) provides audit logs with a consistent structure for query, authentication, policy, project, and tag events from your Immuta users and data sources. You can view the information in these UAM audit logs on the Detect dashboards or export the full audit logs to S3 and ADLS for long-term backup and processing with log data processors and tools. This capability fosters convenient integrations with log monitoring services and data pipelines.
You can specify an S3 bucket destination where Immuta will periodically export audit logs when using S3. When using ADLS, you can specify the container destination where Immuta will export audit logs. If desired, users can configure both export options to export their audit logs to S3 and ADLS simultaneously.
The events captured are events relevant to user and system actions that affect Immuta or the integrated data platforms, such as creating policies or data sources and running queries.
The Immuta audit service is an independent microservice that captures audit events from Immuta and queries run against your Snowflake, Databricks Spark, or Unity Catalog integration.
Immuta stores the export endpoints you provide during configuration, retrieves the audit records pushed to the audit service by your integration, and manages the audit exports based on an export schedule you define. These audit records are also stored to support future reporting and user interface enhancements that will allow you to search based on keywords and facets easily across the entire body of audit events.
Audit export workflow
Public preview: This feature is public preview and available to all accounts.
When you configure the audit export using the CLI for S3 and ADLS, the audit service stores the export endpoint you provided.
After the integration endpoint has been configured, the export scheduler will run on the schedule you defined in your configuration.
When users query data and the event is audited, the audit service receives events from your Snowflake, Databricks Spark, Databricks Unity Catalog, or Starburst (Trino) integration.
Immuta exports the audit logs to your configured S3 bucket or ADLS container.
Audit support for platform queries
The table below outlines what information is included in the query audit logs for each integration where query audit is supported.
Snowflake
Databricks Spark
Databricks Unity Catalog
Starburst (Trino)
Table and user coverage
Registered data sources and users
Registered data sources and users
All tables and users
Registered data sources and users
Object queried
Columns returned
Query text
Unauthorized information
Policy details
User's entitlements
Column tags
Table tags
Legend:
Limitations
The audit service does not capture system-level logging and debugging information, such as 404 errors.
Snowflake query audit limitations
Snowflake query audit events from a query using cached results will show 0 for the rowsProduced field.
Unity Catalog query audit limitations
Enrichment of audit logs with Immuta entitlements information is not supported. While you will see these entitlements in the Databricks Spark audit logs, the following will not be in the Databricks Unity Catalog audit logs:
Immuta policies information
User attributes
Groups
Immuta determines unauthorized events based on error messages within Unity Catalog records. When the error messages contain expected language, unauthorized events will be available for Databricks Unity Catalog audit logs, in other cases it is not possible to determine the cause of an error.
Unauthorized logs for cluster queries are not marked as unauthorized; they always will be a failure.
Data source information will be provided when available:
For some queries, Databricks Unity Catalog does not report the target data source for the data access operation. In these cases the activity is audited, yet the audit record in Immuta will not include the target data source information.
The target data source information is not available for unauthorized queries and events.
The column affected by the query is not currently supported.
The cluster for the Unity Catalog integration must always be running for Immuta to audit activity and present audit logs.
Audit for unauthorized access is not currently supported.
Audit including the user’s entitlements is not currently supported.
This is available and the information is included in audit logs.
This is not available and the information is not included in audit logs.
✅
❌
Unknown Users in Audit Logs
Unity Catalog native query audit brings in audit information for all tables and data sources, so some audit logs are created from activity by users not registered in Immuta. These audit records will appear in Immuta, providing valuable information of activity, with the username Unknown. This can be seen on the audit page or in user and data activity dashboards.
Identify users
While the Immuta user is unknown, the user's Databricks Unity Catalog username can be found within the audit log. To view the user's data platform username:
Navigate to the event page.
Select View JSON.
The username can be found in the auditPayload.technologyContext.account.username field.
Register users
To improve your future audit records, ensure these users are properly registered and can be named in the logs:
Public preview: This feature is public preview and available to all accounts.
Use these audit export configuration commands to manage exporting your audit logs to S3 and ADLS Gen2. To configure an audit export see the Export to S3 or Export to ADLS guides.
Disable a configuration
To disable a configuration, use the disableExportConfiguration mutation:
In addition to the executed Spark plan, the tables, and the tables' underlying paths for every audited Spark job, Immuta captures the code or query that triggers the Spark plan. Immuta audits the activity of Immuta users on Immuta data sources.
By default Immuta audit logs expire after 7 days. Export the universal audit model (UAM) logs to S3 or ADLS Gen 2, and store audit logs outside of Immuta in order to retain the audit logs long-term.
Audit schema
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
Property
Description
Example
action
The action associated with the audit log.
QUERY
actor.type
The Immuta user type of the actor who made the query.
USER_ACTOR
actor.id
The Immuta user ID of the actor who made the query.
taylor@databricks.com
actor.name
The Immuta name of the user who made the query.
Taylor
actor.identityProvider
The IAM the user is registered in. bim is the built-in Immuta IAM.
bim
sessionId
The session ID of the user who performed the action.
01ee14d9-cab3-1ef6-9cc4-f0c315a53788
actionStatus
Indicates whether or not the user was granted access to the data. Possible values are UNAUTHORIZED, FAILURE, or SUCCESS.
SUCCESS
actionStatusReason
When a user's query is denied, this property explains why. When a query is successful, this value is null.
eventTimestamp
The time the query occurred.
2023-06-27T11:03:59.000Z
id
The unique ID of the audit record.
9f542dfd-5099-4362-a72d-8377306db3b8
targetType
The type of targets affected by the query; this value will always be DATASOURCE.
DATASOURCE
targets
A list of the targets affected by the query.
See the example below
auditPayload.type
The type of audit record; this value will always be: QueryAuditPayload.
QueryAuditPayload
auditPayload.queryId
The unique ID of the query. If the query joins multiple tables, each table will appear as a separate log, but all will have the same query ID.
01ee14da-517a-1670-afce-0c3e0fdcf7d4
auditPayload.query
The query that was run in the integration. Immuta truncates the query text to the first 2048 characters.
See the example below
auditPayload.startTime
The date and time the query started in UTC.
2023-06-27T11:03:59.000Z
auditPayload.duration
The time the query took in seconds.
0.557
auditPayload.accessControls
Includes the user's groups, attributes, and current project at the time of the query.
The queryLanguage corresponds to the programming language used: SQL, Python, Scala, or R. Audited JDBC queries will indicate that it came from JDBC here.
python
auditPayload.technologyContext.queryText
The queryText will contain either the full notebook cell (when the query is the result of a notebook) or the full SQL query (when it is a query from a JDBC connection).
The Immuta plugin version for the Databricks Spark integration.
2022.3.0-spark-3.1.1
receivedTimestamp
The timestamp of when the audit event was received and stored by Immuta.
2023-06-27T15:18:22.314Z
Example queryText
Below is an example of the queryText, which contains the full notebook cell (since the query was the result of a notebook). If the query had been from a JDBC connection, the queryText would contain the full SQL query.
testTable='default.crime_data_delta'testDb='test'df=spark.table(testTable)df.limit(1).collect()filteredDf=df.filter('victim_age > 20')filteredDf.write.saveAsTable('{}.audit_cell'.format(testDb))spark.table('{}.audit_cell'.format(testDb)).limit(1).collect()spark.sql('DROP TABLE IF EXISTS {}.audit_cell'.format(testDb))
This notebook cell had multiple audit records associated with it.
Beyond raw audit events (such as “John Doe queried Table X in Databricks"), the Databricks audit records include the policy information enforced during the query execution, even if a query was denied.
Queries will be denied if at least one of the conditions below is true:
User does not meet policy conditions.
User is not subscribed to the data source.
Data source is not in the user's current project.
Data source is in the user's current project, but the user is not subscribed to the data source.
Data source is not registered in Immuta.
User entitlements
The user's entitlements represent the state at the time of the query. This includes the following fields:
Property
Description
project
The user's current project.
attributes
The user's attributes.
groups
The user's groups.
impersonatedUsers
The user that the current user is impersonating.
Policy information
The policySet includes the following fields:
Property
Description
Possible values
subscriptionPolicyType
The type of subscription policy.
MANUAL, ADVANCED, or ENTITLEMENTS
type
Indicates whether the policy is a subscription or data policy. Query denied records will always be a subscription policy type.
SUBSCRIPTION or DATA
ruleAppliedForUser
True if the policy was applied for the user. If false, the user was an exception to the policy.
true or false
rationale
The policy rationale written by the policy creator.
-
global
True if the policy was a global policy. If false, the policy is local.
true or false
mergedPolicies
Shows the policy information for each of the merged global subscription policies, if available.
-
Starburst (Trino) Query Audit Logs
Starburst (Trino) query audit logs is a feature that audits queries that users run natively in Starburst (Trino) and presents them in a universal format as Immuta audit logs. Users can view audit records for queries made in Starburst (Trino) against Immuta data sources on the audit page. Immuta audits the activity of Immuta users on Immuta data sources.
Requirements
Starburst (Trino) integration with the Starburst or Trino plugin version 443 or newer, or Trino 435 with the Immuta Trino 435.1 plugin
By default Immuta audit logs expire after 7 days. Export the universal audit model (UAM) logs to S3 or ADLS Gen 2, and store audit logs outside of Immuta in order to retain the audit logs long-term.
Audit schema
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
Property
Description
Example
action
The action associated with the audit log.
QUERY
actor.type
The Immuta user type of the actor who made the query.
USER_ACTOR
actor.id
The Immuta user ID of the actor who made the query.
taylor@starburst.com
actor.name
The Immuta name of the user who made the query.
Taylor
actor.identityProvider
The IAM the user is registered in. bim is the built-in Immuta IAM.
bim
actor.profileId
The profile ID of the user who made the query.
10
actionStatus
Indicates whether or not the user was granted access to the data. Possible values are FAILURE or SUCCESS. Unauthorized access is not audited for Starburst (Trino).
SUCCESS
eventTimestamp
The time the query occurred.
2023-06-27T11:03:59.000Z
id
The unique Immuta ID of the audit record. This will match the Trino query ID.
20240221_200952_00200_qhadw
tenantId
The Immuta SaaS tenant ID.
your-immuta.com
targetType
The type of targets affected by the query; this value will always be DATASOURCE.
DATASOURCE
targets
A list of the targets affected by the query.
See the example below
auditPayload.type
The type of audit record; this value will always be: QueryAuditPayload.
QueryAuditPayload
auditPayload.queryId
The unique Starburst (Trino) ID of the query.
20240221_200952_00200_qhadw
auditPayload.query
The command text of the query that was run in the integration. Immuta truncates the query text to the first 2048 characters.
select * from lineitem l join orders o on l.orderkey = o.orderkey limit 10
auditPayload.startTime
The date and time the query started in UTC.
2023-06-27T11:03:59.000Z
auditPayload.duration
The time the query took in seconds.
0.557
auditPayload.objectsAccessed
An array of the data sources accessed in the query.
See example below.
auditPayload.objectsAccessed.name
The name of the data source accessed in the query.
\"tpch\".\"tiny\".\"customer\"
auditPayload.objectsAccessed.datasourceId
The Immuta data source ID.
17
auditPayload.objectsAccessed.databaseName
The name of the Starburst (Trino) catalog.
tpch
auditPayload.objectsAccessed.schemaName
The name of the Starburst (Trino) schema.
tiny
auditPayload.objectsAccessed.type
Specifies if the queried data source is a table or view. Starburst (Trino) queries are always LOGICAL_TABLE, which could be either.
If true, the column accessed has been determined by Immuta based on the available audit information from Starburst (Trino) and query parsing. It was not explicitly provided.
true
auditPayload.objectsAccessed.securityProfile
See example below.
auditPayload.technologyContext.type
The technology the query was made in.
TrinoContext
auditPayload.technologyContext.trinoUsername
The Starburst (Trino) user ID for the user who made the query.
objectsAccessed is not available with Hive or Iceberg views.
columnsAccessed will include columns related to the query that were not actually accessed in some cases:
For row access policies that rely on a column in the queried table, even if that column was not a part of the query, it will be included in the columnsAccessed.
For conditional masking, if the policy protects a column accessed, then the conditional column will be included in the columnsAccessed.
Snowflake Query Audit Logs
Snowflake query audit logs is a feature that audits queries that users run natively in Snowflake and presents them in a universal format as Immuta audit logs. Immuta uses the Snowflake QUERY_HISTORY and ACCESS_HISTORY tables and translates them into the audit logs that can be viewed at query events in the Immuta UI or exported to S3. Immuta audits the activity of Immuta users on Immuta data sources.
By default Immuta audit logs expire after 7 days. Export the universal audit model (UAM) logs to S3 or ADLS Gen 2, and store audit logs outside of Immuta in order to retain the audit logs long-term.
Audit frequency
Immuta collects audit records at the frequency configured when enabling the integration, which is between 1 and 24 hours. The frequency is a global setting based on integration type, so organizations with multiple Snowflake integrations will have the same audit frequency for all of them. The more frequent the audit records are ingested, the more current the audit records; however, there could be performance and cost impacts from the frequent jobs.
To manually request native query audit ingestion, click Load Audit Events on the Immuta audit page.
Audit schema
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
Property
Description
Example
action
The action associated with the audit log.
QUERY
actor.type
The Immuta user type of the actor who made the query.
USER_ACTOR
actor.id
The Immuta user ID of the actor who made the query.
taylor@snowflake.com
actor.name
The Immuta name of the user who made the query.
Taylor
actor.identityProvider
The IAM the user is registered in. bim is the built-in Immuta IAM.
bim
sessionId
The session ID of the user who performed the action.
01ee14d9-cab3-1ef6-9cc4-f0c315a53788
actionStatus
Indicates whether or not the user was granted access to the data. Possible values are UNAUTHORIZED, FAILURE, or SUCCESS.
SUCCESS
actionStatusReason
When available, the reason from Unity Catalog that the user’s query was denied.
null if actionStatus is SUCCESS
eventTimestamp
The time the query occurred.
2023-06-27T11:03:59.000Z
id
The unique ID of the audit record.
9f542dfd-5099-4362-a72d-8377306db3b8
userAgent
Client information of the user who made the query.
Snowflake Web App
tenantId
The Immuta SaaS tenant ID.
your-immuta.com
targetType
The type of targets affected by the query; this value will always be DATASOURCE.
DATASOURCE
targets
A list of the targets affected by the query.
See the example below
auditPayload.type
The type of audit record; this value will always be: QueryAuditPayload.
QueryAuditPayload
auditPayload.queryId
The unique ID of the query. If the query joins multiple tables, each table will appear as a separate log, but all will have the same query ID.
01ee14da-517a-1670-afce-0c3e0fdcf7d4
auditPayload.query
The command text of the query that was run in the integration. Immuta truncates the query text to the first 2048 characters.
SELECT VERSION AS 'version' FROM 'sample-data'.'__immuta_version'
auditPayload.startTime
The date and time the query started in UTC.
2023-06-27T11:03:59.000Z
auditPayload.duration
The time the query took in seconds.
0.557
auditPayload.errorCode
The errorCode for the denied query.
null if actionStatus is SUCCESS
auditPayload.technologyContext.type
The technology the query was made in.
SnowflakeContext
auditPayload.technologyContext.host
The host that the integration is connected to.
your-hostname.snowflake.computing.com
auditPayload.technologyContext.snowflakeUsername
The user's Snowflake username.
taylor@snowflake.com
auditPayload.technologyContext.rowsProduced
The number of rows returned in the query. Note that rows produced will show 0 for cached queries.
3
auditPayload.technologyContext.roleName
The Snowflake role the user used to make the query.
ACCOUNTADMIN
auditPayload.technologyContext.warehouseId
The ID of the warehouse where the query was made.
null
auditPayload.technologyContext.warehouseName
The name of the warehouse where the query was made.
null
auditPayload.technologyContext.clusterNumber
The number of the cluster where the query was made.
0
auditPayload.objectsAccessed
An array of the data sources accessed in the query.
See example below.
auditPayload.objectsAccessed.name
The name of the data source accessed in the query.
\"tpch\".\"tiny\".\"customer\"
auditPayload.objectsAccessed.datasourceId
The Immuta data source ID.
17
auditPayload.objectsAccessed.databaseName
The name of the Snowflake database.
tpch
auditPayload.objectsAccessed.schemaName
The name of the Snowflake schema.
tiny
auditPayload.objectsAccessed.type
Specifies if the queried data source is a table or view.
Native query audit for Databricks Unity Catalog captures user data access within Unity Catalog and presents them in a universal format as Immuta audit logs. Multiple access options are supported for audit:
Cluster queries with the following supported languages: SQL, Scala, Python, and R.
SQL warehouse queries
Immuta audits the activity of all Unity Catalog users and tables.
Requirement
Store audit logs
By default Immuta audit logs expire after 7 days. Export the universal audit model (UAM) logs to or , and store audit logs outside of Immuta in order to retain the audit logs long-term.
Audit frequency
Immuta collects audit records at the frequency , which is between 1 and 24 hours. The frequency is a global setting based on integration type, so organizations with multiple Unity Catalog integrations will have the same audit frequency for all of them. The more frequent the audit records are ingested, the more current the audit records; however, there could be performance and cost impacts from the frequent jobs. Immuta will start a Databricks cluster to complete the audit ingest job if one is not already running.
To manually prompt the native query audit, click Load Audit Events on the Immuta audit page.
Audit schema
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
Property
Description
Example
Example audit record
Limitations
Enrichment of audit logs with Immuta entitlements information is not supported. While you will see these entitlements in the Databricks Spark audit logs, the following will not be in the native query audit for Unity Catalog:
Immuta policies information
User attributes
Groups
Immuta determines unauthorized events based on error messages within Unity Catalog records. When the error messages contain expected language, unauthorized events will be available for native query audit for Unity Catalog. In other cases, it is not possible to determine the cause of an error.
Audit for cluster queries do not support UNAUTHORIZED status. If a cluster query is unauthorized, it will show FAILURE.
Data source information will be provided when available:
For some queries, Databricks Unity Catalog does not report the target data source for the data access operation. In these cases the activity is audited, yet the audit record in Immuta will not include the target data source information.
Data source information is not available for unauthorized queries and events.
Column information from the query is not currently supported.
See the .
See the .
See the .
Details about the sensitivity of the column. Available when .
A classification for all the columns accessed together. Available when .
Details about the sensitivity of the column. Available when .
A classification for all the columns accessed together. Available when .
Immuta audit records include unregistered data sources and users; however, activity from them will not appear in any .
The Immuta user type of the actor who made the query. When the actor is not registered with Immuta, the type, id, and name fields will be unknown.
USER_ACTOR
actor.id
The Immuta user ID of the actor who made the query. When the actor is not registered with Immuta, the type, id, and name fields will be unknown.
taylor@databricks.com
actor.name
The Immuta name of the user who made the query. When the user is not registered with Immuta, the type, id, and name fields will be unknown.
Taylor
actor.identityProvider
The IAM the user is registered in. bim is the built-in Immuta IAM. When the user is not registered with Immuta, this field will be omitted.
bim
actor.profileId
The profile ID of the user who made the query. When the user is not registered with Immuta, this field will be omitted.
10
sessionId
The session ID of the user who performed the action.
01ee14d9-cab3-1ef6-9cc4-f0c315a53788
requestId
The API request ID that triggered the action, if applicable.
504b8fd9-38c1-4a90-966e-7445a6675f79
actionStatus
Indicates whether or not the user was granted access to the data. Possible values are UNAUTHORIZED, FAILURE, or SUCCESS.
SUCCESS
actionStatusReason
When available, the reason from Unity Catalog that the user’s query was denied.
null if actionStatus is SUCCESS
eventTimestamp
The time the query occurred.
2023-06-27T11:03:59.000Z
id
The unique ID of the audit record.
9f542dfd-5099-4362-a72d-8377306db3b8
tenantId
The Immuta SaaS tenant ID.
your-immuta.com
userAgent
Client information of the user who made the query.
-
targetType
The type of targets affected by the query; this value will always be DATASOURCE.
DATASOURCE
targets
A list of the targets affected by the query.
See the example below
auditPayload.type
The type of audit record; this value will always be: QueryAuditPayload.
QueryAuditPayload
auditPayload.queryId
The unique ID of the query. If the query joins multiple tables, each table will appear as a separate log, but all will have the same query ID.
01ee14da-517a-1670-afce-0c3e0fdcf7d4
auditPayload.query
The command text of the query that was run in the integration. Immuta truncates the query text to the first 2048 characters.
SELECT VERSION AS 'version' FROM 'sample-data'.'__immuta_version'
auditPayload.startTime
The date and time the query started in UTC.
2023-06-27T11:03:59.000Z
auditPayload.duration
The time the query took in seconds.
0.557
auditPayload.errorCode
The errorCode for the denied query.
null if actionStatus is SUCCESS
auditPayload.technologyContext.type
The technology the query was made in.
DatabricksContext
auditPayload.technologyContext.clusterId
The Unity Catalog cluster ID.
null
auditPayload.technologyContext.workspaceId
The Unity Catalog workspace ID.
8765531160949612
auditPayload.technologyContext.service
Where in Unity Catalog the query was made. Possible values are SQL for SQL warehouses and NOTEBOOK for notebooks.
SQL
auditPayload.technologyContext.warehouseId
The Unity Catalog warehouse ID.
559483c6eac0359f
auditPayload.technologyContext.notebookId
The Unity Catalog notebook ID.
869500255746458
auditPayload.technologyContext.account.id
The actor’s Unity Catalog account ID
52e863bc-ea7f-46a9-8e17-6aed7541832d
auditPayload.technologyContext.account.username
The actor’s Unity Catalog username.
taylor@databricks.com
auditPayload.technologyContext.host
The Unity Catalog host.
deployment-name.cloud.databricks.com
auditPayload.technologyContext.clientIp
The IP address of the Spark cluster the request is coming from.
0.0.0.0
auditPayload.technologyContext.queryLanguage
The queryLanguage corresponds to the programming language used: SQL, Python, Scala, or R. Audited JDBC queries will indicate that it came from JDBC here.
python
auditPayload.objectsAccessed
The Unity Catalog objects accessed.
[]
auditPayload.securityProfile.sensitivity.score
The sensitivity score of the query. Classification must be configured for this field.
INDETERMINATE
auditPayload.version
The version of the audit event schema.
1
receivedTimestamp
The timestamp of when the audit event was received and stored by Immuta.
{"action":"QUERY","actor": {"type":"USER_ACTOR","id":"taylor@immuta.com","name":"Taylor","identityProvider":"bim","profileId":"10" },"sessionId":"01ee14d9-cab3-1ef6-9cc4-f0c315a53788","requestId":"504b8fd9-38c1-4a90-966e-7445a6675f79","actionStatus":"SUCCESS","actionStatusReason":null,"eventTimestamp":"2023-06-27T11:03:59.000Z","id":"01ee14da-517a-1670-afce-0c3e0fdcf7d4","tenantId":"your-immuta.com","userAgent":"","targetType":"DATASOURCE","targets": [ {"type":"DATASOURCE","id":"2034","name":"University Art Gallery Exhibition","technology":"DATABRICKS" } ],"relatedResources": [],"auditPayload": {"type":"QueryAuditPayload","queryId":"01ee14da-517a-1670-afce-0c3e0fdcf7d4","query":"SELECT VERSION AS `version` FROM `sample-data`.`__immuta_version`","startTime":"2023-06-27T11:03:59.000Z","duration":23.568,"errorCode":null,"technologyContext": {"type":"DatabricksContext","clusterId":null,"workspaceId":"3841033049363283","service":"SQL","warehouseId":"559483c6eac0359f","notebookId":null,"account": {"id":"52e863bc-ea7f-46a9-8e17-6aed7541832d","username":"taylor@databricks.com" },"host":"deployment-name.cloud.databricks.com","clientIp":"0.0.0.0" },"objectsAccessed": [],"securityProfile": {"sensitivity": {"score":"INDETERMINATE" } },"version":1 },"receivedTimestamp":"2023-06-27T15:18:22.314Z"}
UAM Schema
Universal audit model (UAM) is Immuta's consistent structure for all Immuta system and user query audit logs. This reference guide provides example schemas of all the UAM events available in Immuta.
There are some parameter details throughout to help better understand the UAM schemas. But there are two important parameters to each event:
targetType: Informs the Immuta object that's the target of the action being audited. This will specify if it was a user, project, policy, etc. being affected by the action.
action: Informs the base action being performed on the target. This will specify if something was created, deleted, updated, etc.
To learn more about Immuta's audit, see the UAM reference page or view the examples below.
Events and descriptions
Immuta object
Events
Descriptions
API keys
Audit events for managing API keys.
Attributes
Audit events for managing attributes.
Configuration
An audit event for Immuta configuration changes.
Data sources
Audit events for actions on data sources and their policies.
Domains
Audit events for managing domains, domain policies, and domain permissions.
Global policies
Audit events for managing global policies.
Groups
Audit events for managing Immuta groups and group members.
License
Audit events for managing Immuta licenses.
Local policies
Audit events for managing local policies.
Permissions
Audit events for managing user permissions.
Policy adjustments
Audit events for managing policy adjustments in a project.
Projects
Audit events for managing projects and their purposes.
Purposes
Audit events for managing purposes.
Queries
Audit events for user queries within data platforms.
Sensitive data discovery (SDD)
Audit events for managing and running SDD.
Tags
Audit events for managing tags and their application.
Users
Audit events for user actions, managing users, and managing the objects users are subscribed to in Immuta.
Webhooks
Audit events for managing webhooks.
ApiKeyCreated event
Event: ApiKeyCreated
Legacy event: apiKey
Description: An audit event for when an API key is created on the Immuta app settings page or from an Immuta user's profile page.
Description: An audit event for a global policy being updated with details about the policy.
{"tenantId":"your-immuta-tenant.com","receivedTimestamp":"2023-10-24T18:06:21.278Z","eventTimestamp":"2023-10-24T18:06:21.155Z","actorIp":"xxx.xx.xx.xx","requestId":"c2554ade-fbea-54b4-bfa5-a652d8a34309","actionStatus":"SUCCESS","relatedResources": [],"actor": {"type":"USER_ACTOR","name":"Taylor Smith","identityProvider":"bim","profileId":"1","id":"taylor@immuta.com" },"id":"f2346f5b-07b3-4f71-a0e1-9635e3b7cacc","targetType":"GLOBAL_POLICY","targets": [ {"id":"7","policyKey":"mask pii","type":"GLOBAL_POLICY","name":"Mask PII" } ],"action":"UPDATE","auditPayload": {"version":1,"policy": {"circumstance": {"type":"WHEN_SELECTED" },"actions": [ {"dataPolicyType":"MASKING","type":"DATA","rules": [ {"type":"MASKING_HASH","columnCondition": {"tags": ["AuditTesting"],"type":"TAG" },"exceptions":null } ],"rationale":null } ],"type":"DATA","certification": {"label":"Personal information certification","tags": ["AuditTesting"],"description":"I certify that I understand this data source contains personally identifiable information and will use the data appropriately and responsibly to the company policies." } },"type":"GlobalPolicyUpdatedAuditPayload" },"sessionId":"1a8a16c58f29172d9a59224030617184"}
GroupCreated event
Event: GroupCreated
Legacy event: accessGroup
Description: An audit event for a group created in Immuta.
Description: An audit event for creating a project in Immuta.
{"action":"CREATE","tenantId":"your-immuta-tenant.com","actor": {"type":"USER_ACTOR","identityProvider":"bim","name":"Taylor Smith","profileId":"1","id":"taylor@immuta.com" },"eventTimestamp":"2023-09-13T13:43:04.225Z","auditPayload": {"equalization":null,"projectKey":"hr","purposes": [],"disabled":false,"type":"ProjectCreatedAuditPayload","datasources": [],"allowMaskedJoins":false,"stagedPurposes": [],"projectId":"6","version":1,"name":"HR","description":null,"tags": [],"documentation":"# A project for all internal employee data for HR use." },"targets": [ {"id":"6","type":"PROJECT","projectKey":"hr","name":"HR" } ],"relatedResources": [],"actorIp":"xxx.xx.xx.xx","sessionId":"cdbffff8804103418350947c6586712c","actionStatus":"SUCCESS","targetType":"PROJECT","id":"8d6da097-b5d8-4f19-8737-9c1d8e453f93","receivedTimestamp":"2023-09-13T13:43:04.515Z","requestId":"49b37341-83d2-576c-a560-29b224654c4e"}
ProjectDeleted event
Event: ProjectDeleted
Legacy event: projectDelete
Description: An audit event for deleting a project in Immuta.
Description: An audit event for acknowledging a purpose for a project in Immuta.
{"requestId":"ea287df8-2fd2-57c2-86c3-cdb421ec3f64","auditPayload": {"purposes": [ {"id":"5","name":"Re-identification Prohibited.Expert Determination", "acknowledgement": "I agree to use the data associated with this project for the stated purpose of the project, and for that purpose only, as listed in the project's homepage, and to refrain from sharing that data outside of the project or Immuta, unless the data recipient is required to adhere to a data sharing protocol specifying relevant security arrangements.\n\nI acknowledge that combining the project data (and derivations thereof) with other data, including data produced in different projects or under different utility adjustments within the same project, can undermine the expert determination, and is therefore outside its scope.\n\nI also agree not to re-identify or take any steps to re-identify the individuals whose health information is contained in the data sources attached to the project. In the event that these individuals have been identified or that I discover risks that I believe could lead to their identification, I agree to immediately notify the project owner or governance team and take immediate action to address and mitigate such risks. I further agree to refrain from contacting any individuals who might be identified."
} ],"subscriptionId":"8","type":"ProjectPurposesAcknowledgedAuditPayload","version":1,"projectId":"2" },"action":"PURPOSE_ACKNOWLEDGE","actor": {"id":"taylor@immuta.com","name":"Taylor Smith","profileId":"1","type":"USER_ACTOR","identityProvider":"bim" },"targetType":"PROJECT","eventTimestamp":"2023-10-13T14:12:18.083Z","relatedResources": [ {"id":"5","name":"Re-identification Prohibited.Expert Determination","type":"PURPOSE" } ],"actionStatus":"SUCCESS","receivedTimestamp":"2023-10-13T14:12:18.216Z","tenantId":"your-immuta-tenant.com","targets": [ {"id":"2","name":"HR","type":"PROJECT","projectKey":"hr" } ],"actorIp":"xxx.xx.xx.xx","id":"d21f9673-7b96-4bbe-abca-8d0aaec67c87","sessionId":"6b928653b1411078647a2764a72beca6"}
ProjectUpdated event
Event: ProjectUpdated
Legacy event: projectPurposeDeny
Description: An audit event for updating a project in Immuta.
Description: An audit event for updating a purpose in Immuta.
{"id":"eafa29d6-d61f-4aab-a958-106f25bbfa0b","sessionId":"e3e0aba1e69c06dbf64710c889b3f2d8","requestId":"f5ef5320-2237-56cb-bc56-929a5e6f8299","action":"UPDATE","actionStatus":"SUCCESS","actor": {"name":"Taylor Smith","id":"taylor@immuta.com","identityProvider":"bim","profileId":"1","type":"USER_ACTOR"},"actorIp":"xxx.xx.xx.xx","tenantId":"your-immuta-tenant.com","targetType":"PURPOSE","targets": [ {"type":"PURPOSE","id":"1","name":"Human resources use" }],"relatedResources": [],"auditPayload": {"type":"PurposeUpdatedAuditPayload","description":"The data covered by the purpose should only be used by users within HR who will use this data for human resources purposes.","kAnonNoiseReduction":"Medium","adjustmentCertificationText":"Cert statement","name":"Human resources use","acknowledgement":"I agree to use this data for internal human resources needs.","subpurposes": []},"eventTimestamp":"2024-04-18T18:25:40.623Z","receivedTimestamp":"2024-04-18T18:25:40.864Z","type":"PurposeUpdated","version":"1.0.0"}
PurposeUpserted event
Event: PurposeUpserted
Legacy event: purposeCreate
Description: An audit event for creating a purpose in Immuta.
{"id":"eafa29d6-d61f-4aab-a958-106f25bbfa0b","sessionId":"e3e0aba1e69c06dbf64710c889b3f2d8","requestId":"f5ef5320-2237-56cb-bc56-929a5e6f8299","action":"UPSERT","actionStatus":"SUCCESS","actor": {"name":"Taylor Smith","id":"taylor@immuta.com","identityProvider":"bim","profileId":"1","type":"USER_ACTOR"},"actorIp":"xxx.xx.xx.xx","tenantId":"your-immuta-tenant.com","targetType":"PURPOSE","targets": [ {"type":"PURPOSE","id":"1","name":"Human resources use" }],"relatedResources": [],"auditPayload": {"type":"PurposeUpsertedAuditPayload","description":"The data covered by the purpose should only be used by users within HR who will use this data for human resources purposes.","kAnonNoiseReduction":"Small","adjustmentCertificationText":"Cert statement","name":"Human resources use","acknowledgement":"I agree to use this data for internal human resources needs.","subpurposes": []},"eventTimestamp":"2024-04-18T18:25:40.623Z","receivedTimestamp":"2024-04-18T18:25:40.864Z","type":"PurposeUpserted","version":"1.0.0"}
SDDClassifierCreated event
Event: SDDClassifierCreated
Legacy event: sddClassifierCreated
Description: An audit event for creating a sensitive data discovery (SDD) column name regex, regex, or dictionary identifier.
Additional parameter details:
auditPayload.config.columnNameRegex: For column name regex identifiers, the regex to match against column names.
auditPayload.config.values: For dictionary identifiers, the values within the dictionary identifier to match against column values.
auditPayload.config.regex: For regex identifiers, the regex to match against column values.