Snowflake Query Audit Logs
Deprecation notice
Support for the audit endpoint and UI has been deprecated. Instead, pull audit logs from Kubernetes and push them to your SIEM.
Snowflake query audit logs is a feature that audits queries that users run natively in Snowflake and turns them into
Immuta audit logs. Immuta uses the
Snowflake QUERY_HISTORY
and ACCESS_HISTORY
tables and translates them
into the audit logs that can be viewed and downloaded within the Immuta UI or using the Immuta API. Immuta audits the
activity of Immuta users on Immuta data sources.
Requirements
- Snowflake Enterprise Edition or higher
- Snowflake integration with native query audit enabled
- Snowflake tables registered as Immuta data sources
- Snowflake users registered as Immuta users: Note that the users' Snowflake usernames must be mapped to Immuta. Without this, Immuta will not know the users are Immuta users and will not collect audit events for their data access activity.
Best Practices: Store Audit Records
By default Immuta audit records expire after 60 days, so store audit records outside of Immuta in order to retain the audits long term.
Audit Frequency
Immuta collects audit records at the frequency configured when enabling the integration, which is between 1 and 24 hours. The frequency is a global setting based on integration type, so organizations with multiple Snowflake integrations will have the same audit frequency for all of them. The more frequent the audit records are ingested, the more current the audit records; however, there could be performance and cost impacts from the frequent jobs.
To manually request native query audit ingestion, click Load Audit Events on the Immuta audit page.
Audit Messages
Each audit message from the Immuta platform will be a one-line JSON object containing the properties listed below.
These audit records are stored with the recordType
: nativeQuery
.
Property | Description | Example |
---|---|---|
DateTime | integer or string The timestamp for when the record was created. This may be an ISO-8601 timestamp string or an epoch timestamp. |
2504188066580 or 2017-08-31T14:01:15.607Z |
ProfileID | integer The profile ID of the user who made the query. |
1 |
UserID | string The user ID of the user who made the query. |
jane.doe@immuta.com |
DataSourceID | integer The ID of the data source that was queried. |
12 |
DataSourceName | string The name of the data source that was queried. |
Public Customer Data |
RecordType | string The type of record captured. |
Native query audit records will always be nativeQuery . |
Success | boolean If true , the query was successful. |
true or false |
Component | string The Immuta component that generated the record. |
nativeSql |
AccessType | string Indicates whether access was granted to an individual blob or if this was a query potentially encompassing many blobs. |
query |
Query | string The query that was run in the integration. |
select * from IMMUTA.PUBLIC.CUSTOMER; |
Handler | string The integration type. |
Snowflake |
StartTime | timestamp The date and time the query started in UTC. |
2021-09-20 17:20:00.39100000 +0000 |
EndTime | timestamp The date and time the query ended in UTC. |
2021-09-20 17:20:02.42100000 +0000 |
Duration | integer The time the query took in milliseconds. |
2030 |
NativeObject | string The fully qualified object that was queried. |
IMMUTA.PUBLIC.CUSTOMER |
NativeObjectType | string The type of the object that was queried. |
view or table |
Host | string The host that the integration is connected to. |
your-hostname.snowflake.computing.com |
Database | string The database that the native object resides in. |
IMMUTA |
SQLUser | string The integration username of the user who made the query. |
jane.doe@immuta.com |