Skip to content

You are viewing documentation for Immuta version 2023.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Snowflake Query Audit Logs

Snowflake query audit logs is a feature that audits queries that users run natively in Snowflake and turns them into Immuta audit logs. Immuta uses the Snowflake QUERY_HISTORY and ACCESS_HISTORY tables and translates them into the audit logs that can be viewed and downloaded within the Immuta UI or using the Immuta API. Immuta audits the activity of Immuta users on Immuta data sources.

Requirements

Best Practices: Store Audit Records

By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.

Prompt Native Query Audit

To manually prompt the native query audit, click Native Query Audit on the Audit page.

Alternatively, the schedule for the automatic job can be changed to fit your needs. See instructions for changing the frequency of the automatic job on the App Settings Tutorial page.

Audit Messages

Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below. These audit records are stored with the recordType: nativeQuery.

Property Description Example
DateTime integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp. 2504188066580 or 2017-08-31T14:01:15.607Z
ProfileID integer The profile ID of the user who made the query. 1
UserID string The user ID of the user who made the query. jane.doe@immuta.com
DataSourceID integer The ID of the data source that was queried. 12
DataSourceName string The name of the data source that was queried. Public Customer Data
RecordType string The type of record captured. Native query audit records will always be nativeQuery.
Success boolean If true, the query was successful. true or false
Component string The Immuta component that generated the record. nativeSql
AccessType string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs. query
Query string The query that was run in the integration. select * from IMMUTA.PUBLIC.CUSTOMER;
Handler string The integration type. Snowflake
StartTime timestamp The date and time the query started in UTC. 2021-09-20 17:20:00.39100000 +0000
EndTime timestamp The date and time the query ended in UTC. 2021-09-20 17:20:02.42100000 +0000
Duration integer The time the query took in milliseconds. 2030
NativeObject string The fully qualified object that was queried. IMMUTA.PUBLIC.CUSTOMER
NativeObjectType string The type of the object that was queried. view or table
Host string The host that the integration is connected to. your-hostname.snowflake.computing.com
Database string The database that the native object resides in. IMMUTA
SQLUser string The integration username of the user who made the query. jane.doe@immuta.com