Snowflake Query Audit Logs
Snowflake query audit logs is a feature that audits queries that users run natively in Snowflake and turns them into
Immuta audit logs. Immuta uses the
Snowflake QUERY_HISTORY
and ACCESS_HISTORY
tables and translates them
into the audit logs that can be viewed and downloaded within the Immuta UI or using the Immuta API. Immuta audits the
activity of Immuta users on Immuta data sources.
Requirements
- Snowflake Enterprise Edition or higher
- Snowflake integration with native query audit enabled
- Snowflake tables registered as Immuta data sources
- Snowflake users registered as Immuta users: Note that the users' Snowflake usernames must be mapped to Immuta. Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Best Practices: Store Audit Records
By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.
Prompt Native Query Audit
To manually prompt the native query audit, click Native Query Audit on the Audit page.
Alternatively, the schedule for the automatic job can be changed to fit your needs. See instructions for changing the frequency of the automatic job on the App Settings Tutorial page.
Audit Messages
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
These audit records are stored with the recordType
: nativeQuery
.
Property | Description | Example |
---|---|---|
DateTime | integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp. |
2504188066580 or 2017-08-31T14:01:15.607Z |
ProfileID | integer The profile ID of the user who made the query. |
1 |
UserID | string The user ID of the user who made the query. |
jane.doe@immuta.com |
DataSourceID | integer The ID of the data source that was queried. |
12 |
DataSourceName | string The name of the data source that was queried. |
Public Customer Data |
RecordType | string The type of record captured. |
Native query audit records will always be nativeQuery . |
Success | boolean If true , the query was successful. |
true or false |
Component | string The Immuta component that generated the record. |
nativeSql |
AccessType | string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs. |
query |
Query | string The query that was run in the integration. |
select * from IMMUTA.PUBLIC.CUSTOMER; |
Handler | string The integration type. |
Snowflake |
StartTime | timestamp The date and time the query started in UTC. |
2021-09-20 17:20:00.39100000 +0000 |
EndTime | timestamp The date and time the query ended in UTC. |
2021-09-20 17:20:02.42100000 +0000 |
Duration | integer The time the query took in milliseconds. |
2030 |
NativeObject | string The fully qualified object that was queried. |
IMMUTA.PUBLIC.CUSTOMER |
NativeObjectType | string The type of the object that was queried. |
view or table |
Host | string The host that the integration is connected to. |
your-hostname.snowflake.computing.com |
Database | string The database that the native object resides in. |
IMMUTA |
SQLUser | string The integration username of the user who made the query. |
jane.doe@immuta.com |