# Extracting Insights from Immuta Audit Logs Collecting audit logs is a critical first step—but the true value comes from transforming that data into insights that strengthen governance, demonstrate compliance, and proactively manage risk. This guide is for teams who have already set up Immuta audit log exports and are ready to take the next step: using those logs to answer real-world access and policy questions. You’ll learn how to focus on the events that matter most, set up targeted monitoring strategies, and identify when to use dashboards versus real-time notifications. We’ll also walk through example scenarios, from tracking permission changes to detecting newly registered PII, so you can see how audit data translates into actionable intelligence in your environment. Immuta retains logs for 90 days by default, so exporting audit logs to secure storage (e.g., Amazon S3 or Azure Data Lake Gen2) ensures long-term visibility and enables deeper analysis. If you haven’t completed export setup yet, see the [Audit how-to guides](https://documentation.immuta.com/saas/govern/secure-your-data/projects-and-purpose-based-access-control/write-index/how-to-guides) before continuing. ## Develop your audit strategy Immuta’s audit logs can answer dozens of questions, but the most effective audit programs begin by focusing on what matters most to your business. By starting with the right questions, you’ll avoid sifting through logs without context and instead focus on insights that align with your access model, compliance requirements, and risk profile. This section is designed to help you move from reactive logging to a proactive, business-aligned audit strategy. ### Discovery questions to guide your audit priorities **Access control and entitlements** * Are you responsible for tracking how user entitlements shift over time? * Monitor `SubscriptionUpdated`, `SubscriptionDeleted` * Do you need to review or validate who approved access to a dataset? * Monitor `SubscriptionRequestApproved`, `SubscriptionCreated` **Metadata changes** * Do you need to monitor the removal or adding of tags on data sources or columns? * Monitor `TagApplied`, `TagRemoved` * Do you need to monitor the creation, deletion, or updates of tags in Immuta? * Monitor `TagCreated`, `TagUpdated`, `TagDeleted` * Do you need to monitor the removal or adding of user attributes? * Monitor `AttributeApplied`, `AttributeRemoved` **User management** * Do you want to detect if users are being created or updated locally in Immuta instead of via your IAM provider? * Monitor `UserCreated`, `UserCloned`, `UserDeleted`, `UserUpdated` * Do you need to know when permissions given to users in Immuta are updated? * Monitor `PermissionApplied`, `PermissionRemoved`, `DomainPermissionsUpdated` **Policy oversight** * Do you need to know when a policy is created, updated, or deleted and by whom? * Monitor `GlobalPolicyCreated`, `GlobalPolicyUpdated`, `GlobalPolicyDeleted` * Do you want to understand how a policy change affects access? * Correlate `GlobalPolicyUpdated` with subsequent `auditPayload` **Compliance and regulatory obligations** * Do you need to demonstrate that sensitive data has been classified and governed appropriately? * Monitor `TagApplied`, `SDDDatasourceTagUpdated` to review classification coverage across registered sources * Are you required to maintain a complete audit trail of who accessed what and when? * Log and export all `QUERY` events, along with `actionStatus`, `eventTimestamp`, `auditPayload.objectsAccessed` **Application and platform configuration** * Do you want to track when new data sources are added? * Monitor `DatasourceCreated` * Do you want to track any changes made to the Immuta application settings? * Monitor `ConfigurationUpdated` **Risk detection** * Do you want to detect queries on sensitive data? * Monitor `QUERY` events with `auditPayload.securityProfile.sensitivity.score` * Would it be a problem if someone tried to access data they shouldn't have? * Monitor failed `QUERY` events ### Dashboards vs. notifications: choosing the right level of monitoring Not every audit event needs a real-time alert. One of the most effective ways to build a sustainable audit strategy is to decide upfront which insights should live in a dashboard (for ongoing visibility) and which deserve a notification (to drive immediate action).
Use caseRecommended action
Track policy edits over timeDashboard
Review all access grants and removals weeklyDashboard
Catch manual grantsNotification
Track Immuta application permission changesNotification
Detect query spikes on sensitive dataDashboard + otification over a certain threshold
Show entitlement changes weeklyDashboard
{% hint style="success" %} **Tip:** As a general rule, use dashboards to observe trends and support audits and notifications to catch behavior that should trigger a decision or response. {% endhint %} ## Example scenarios Once your Immuta audit logs are flowing to a secure location, you can begin filtering them to answer common governance, access, and compliance questions. Below are three practical scenarios to help you get started. These can be adapted to your analytics platform of choice. ### 1. Monitor key configuration changes in Immuta application Governance teams need visibility into high-impact configuration changes, especially those that affect how access is granted or enforced. Even when these changes are made by privileged users, it’s important to track actions that directly influence data exposure, such as assigning governance roles or modifying user permissions. **Relevant audit events** `PermissionApplied`, `PermissionRemoved`, `DomainPermissionsUpdated`.
Example SQL The SQL script below will retrieve all permissions that have been applied, removed, or updated on the domain level. The script is an example in Snowflake where we have created an external stage (@S3\_audit\_stage) that points to the S3 location where the audit files are exported to. ```sql SELECT t0.value:eventTimestamp::datetime as eventtimestamp, t0.value:type::string as type, t0.value:actionStatus::string as actionstatus, t0.value:actor.id::string as user, case when t0.value:type::string = 'DomainPermissionsUpdated' then t0.value:relatedResources[0].name::string else t0.value:targets[0].name::string end as affecteduser, case when t0.value:type::string = 'DomainPermissionsUpdated' then t0.value:targets[0].name::string else null end as affecteddomain, case when t0.value:type::string = 'DomainPermissionsUpdated' then t0.value:auditPayload.permissionUpdates[0].permissions::variant else t0.value:relatedResources[0].name::string end as permissions, t0.value as json FROM @S3_audit_stage (file_format => 'json_format',pattern=>'.*json'), lateral flatten (input => $1) as t0 WHERE type in ('PermissionApplied', 'PermissionRemoved', 'DomainPermissionsUpdated') order by eventTimestamp desc; ```
#### **Optional alerts** You can monitor permission changes in Immuta by setting up a webhook on the `permissionsUpdated` notification. To do this, trigger an API call to create the webhook, using a URL from your chosen application (e.g., Slack) configured to receive incoming webhooks. The example below uses a Slack webhook URL. For more advanced filtering, you can introduce a lightweight Lambda (or similar service) to process webhook events. This allows you to evaluate each event—for example, to check whether it occurred outside business hours or involved high-risk permissions like `USER_ADMIN` or `GOVERNANCE`—and only forward alerts that meet your criteria.
Example webhook payload ```sh curl \ --request POST \ --header "Authorization: " \ --data @example-payload.json \ https://.hosted.immutacloud.com/webhooks example-payload.json: { "webhooks": [ { "url": "https://hooks.slack.com/services/T00000/B00000/XXXXXXXXXXXXXXXXX", "name": "Updated permissions", "global": true, "notificationType": [ "permissionsUpdated" ], "actionType": "triggered" } ] } ```
### 2. Monitor policy and access control changes When policies are updated—especially those that govern sensitive or regulated data—teams should be alerted to the change and understand its downstream impact. Because Immuta policies are dynamic and metadata-driven, even minor changes can significantly alter access. To monitor policy edits and evaluate their potential impact, use audit logs to pinpoint policy changes, then correlate them with access modifications and shifts in query behavior over time. * Creating, updating, or deleting policies * Applying or removing tags (especially on sensitive datasets) * Adding or removing user attributes that affect entitlements **Relevant audit events** * Policy events: `GlobalPolicyCreated`, `GlobalPolicyUpdated`, `GlobalPolicyDeleted`. * Tag events: `TagApplied`, `TagRemoved`. * Attribute events: `AttributeApplied`, `AttributeRemoved`. * Permissions events: `PermissionApplied`, `PermissionRemoved`, `DomainPermissionsUpdated`.
Example SQL The example below will give an overview of all tag, attribute, and policy audit events mentioned above from your exported audit logs in Snowflake. ```sql SELECT t0.value:eventTimestamp::datetime as eventtimestamp, t0.value:type::string as type, t0.value:actionStatus::string as actionstatus, t0.value:actor.id::string as user, t0.value:targets[0].name::string as affectedobject, coalesce(concat( t0.value:auditPayload.attributes[0].attribute::string , ': ' , replace(replace(t0.value:auditPayload.attributes[0].values::string,'[', ''),']','')) --attributes , t0.value:auditPayload.appliedTags[0].tags[0].name::string --applied tags , t0.value:auditPayload.removedTags[0].tags[0].name::string --removed tags , t0.value:auditPayload.policy.actions[0].dataPolicyType::string -- data policies , t0.value:auditPayload.policy.actions[0].type::string -- subscription policies ) as value, t0.value as json FROM @S3_audit_stage (file_format => 'json_format',pattern=>'.*json'), lateral flatten (input => $1) as t0 WHERE type in ( 'TagApplied', 'TagRemoved' , 'AttributeApplied', 'AttributeRemoved' , 'GlobalPolicyUpdated', 'GlobalPolicyCreated', 'GlobalPolicyDeleted') order by eventTimestamp desc; ```
You can set up alerts using Immuta’s webhook functionality. For example, to receive notifications when a user attribute is manually added, updated, or removed, configure a webhook for the `attributeAdded`, `attributeUpdated`, and `attributeRemoved` notifications. To create the webhook, trigger an API call to Immuta using a URL from your chosen application (e.g., Slack) that is configured to receive incoming webhooks. The example below uses a URL for Slack.
Example webhook payload ```sh curl \ --request POST \ --header "Authorization: " \ --data @example-payload.json \ https://.hosted.immutacloud.com/webhooks example-payload.json: { "webhooks": [ { "url": "https://hooks.slack.com/services/T00000/B00000/XXXXXXXXXXXXXXXXX", "name": "attributeAlert", "global": true, "notificationType": [ "attributeAdded", "attributeUpdated", "attributeRemoved" ], "actionType": "triggered" } ] } ```
### 3. Monitor when new PII or PCI data is registered When new columns are added to an existing dataset—especially when those columns contain PII or PCI—governance teams need to know. In Immuta, newly registered columns are automatically tagged with `New`, and identification applies tags like `PII` or `PCI` when it detects sensitive information. This makes it possible to identify when data engineers introduce sensitive fields to an already-governed table. By monitoring these tags at the point of registration, governance teams can proactively review datasets and ensure appropriate access controls are in place before those datasets are exposed to users. #### **Relevant audit event** `TagApplied`
Example SQL This script is an example in Snowflake where an external stage (@S3\_audit\_stage) points to the S3 location where the audit files are exported to. ```sql SELECT t0.value:eventTimestamp::datetime as eventtimestamp, t0.value:type::string as type, t0.value:actionStatus::string as actionstatus, t0.value:actor.id::string as user, t0.value:targets[0].name::string as affectedobject, t0.value:auditPayload.appliedTags[0].tags[0].name::string as appliedtags, t0.value as json FROM @S3_audit_stage (file_format => 'json_format',pattern=>'.*json'), lateral flatten (input => $1) as t0 WHERE type in ( 'TagApplied') and t0.value:auditPayload.appliedTags[0].tags[0].name::string ilike '%PII%' order by eventTimestamp desc; ```
## Conclusion Immuta audit logs offer more than just a record of activity—they’re a powerful foundation for proactive governance, risk detection, and regulatory compliance. By focusing on high-impact events, aligning monitoring with business priorities, and combining dashboards with alerts, you can turn raw log data into actionable intelligence. Whether you're tracking permission changes, policy updates, or the registration of new sensitive data, a thoughtful audit strategy helps you stay ahead of risk and maintain trust in your data ecosystem.