Example Query Audit Events from UAM
Example Snowflake query audit event
For details about the parameters in audit events, see the Audit Service GraphQL Reference Guide.
{
"action": "QUERY",
"actor": {
"type": "USER_ACTOR",
"name": "Taylor",
"id": "taylor@immuta.com",
"identityProvider": "immuta",
"impersonatedBy": null
},
"sessionId": "18245308848957358",
"actionStatus": "SUCCESS",
"actionStatusReason": null,
"eventTimestamp": "2023-03-21T13:39:45.040598-04:00",
"id": "abc123",
"tenantId": "aabc123",
"targetType": "DATASOURCE",
"targets": [
{
"type": "DATASOURCE",
"id": "2034",
"name": "University Art Gallery Exhibition",
"technology": "SNOWFLAKE"
}
],
"relatedResources": [],
"auditPayload": {
"type": "QueryAuditPayload",
"queryId": "01a9c8f5-0602-eeb3-0040-d203014c166a",
"query": "SELECT T2.theme , T1.date , T1.attendance FROM \"DETECT_DEMO_DB\".\"UNIVERSITY_ART_GALLERY\".\"EXHIBITION_RECORD\" AS T1 JOIN \"DETECT_DEMO_DB\".\"UNIVERSITY_ART_GALLERY\".\"EXHIBITION\" AS T2 ON T1.exhibition_id = T2.exhibition_id WHERE T2.year = 2004",
"startTime": "2023-03-21T13:39:45.040598-04:00",
"endTime": "2023-03-21T13:05:07.040598-04:00",
"duration": 163,
"errorCode": null,
"technologyContext": {
"type": "SnowflakeContext",
"host": "example.us-east-2.snowflakecomputing.com",
"snowflakeUsername": "taylor@snowflake.com",
"rowsProduced": 3
},
"objectsAccessed": [
{
"columns": [
{
"name": "ATTENDANCE",
"tags": [],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
},
{
"name": "DATE",
"tags": [
{
"id": "97",
"name": "Discovered.Entity.Date",
"source": "curated"
},
{
"id": "2522",
"name": "Immuta DSF.Date",
"source": "curated",
"framework": {
"id": "4b4a2b1c-5862-4061-9c73-f562a56f127f",
"version": "543c62fe-5fbd-4829-9922-e271312af96d",
"name": "Immuta Data Security Framework",
"measures": {
"sensitivity": "NONSENSITIVE"
}
}
}
],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
},
{
"name": "EXHIBITION_ID",
"tags": [],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
}
],
"type": "TABLE",
"name": "DETECT_DEMO_DB.UNIVERSITY_ART_GALLERY.EXHIBITION_RECORD",
"tags": [],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
},
{
"columns": [
{
"name": "YEAR",
"tags": [],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
},
{
"name": "EXHIBITION_ID",
"tags": [],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
},
{
"name": "THEME",
"tags": [],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
}
],
"type": "TABLE",
"name": "DETECT_DEMO_DB.UNIVERSITY_ART_GALLERY.EXHIBITION",
"tags": [],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
}
],
"securityProfile": {
"sensitivity": {
"score": "NONSENSITIVE"
}
}
},
"receivedTimestamp": "2023-03-22T13:22:04.979644-04:00"
}
Example Databricks Unity Catalog query audit event
For details about the parameters in audit events, see the Audit Service GraphQL Reference Guide.
{
"action": "QUERY",
"actor": {
"type": "USER_ACTOR",
"id": "taylor@immuta.com",
"name": "Taylor",
"identityProvider": "bim",
"profileId": "10"
},
"sessionId": "01ee14d9-cab3-1ef6-9cc4-f0c315a53788",
"requestId": "504b8fd9-38c1-4a90-966e-7445a6675f79",
"actionStatus": "SUCCESS",
"actionStatusReason": null,
"eventTimestamp": "2023-06-27T11:03:59.000Z",
"id": "01ee14da-517a-1670-afce-0c3e0fdcf7d4",
"tenantId": "alex.candelario.local",
"userAgent": "",
"targetType": "DATASOURCE",
"targets": [],
"relatedResources": [],
"auditPayload": {
"type": "QueryAuditPayload",
"queryId": "01ee14da-517a-1670-afce-0c3e0fdcf7d4",
"query": "SELECT VERSION AS `version` FROM `cbdemo_databricks_sql`.`__immuta_version`",
"startTime": "2023-06-27T11:03:59.000Z",
"duration": 23.568,
"errorCode": null,
"technologyContext": {
"type": "DatabricksContext",
"clusterId": null,
"workspaceId": "3841033049363283",
"service": "SQL",
"warehouseId": "559483c6eac0359f",
"notebookId": null,
"account": {
"id": "52e863bc-ea7f-46a9-8e17-6aed7541832d",
"username": "taylor@databricks.com"
},
"host": "immuta-e2-ws1-deployment-name.cloud.databricks.com",
"clientIp": "0.0.0.0"
},
"objectsAccessed": [],
"securityProfile": {
"sensitivity": {
"score": "INDETERMINATE"
}
},
"version": 1
},
"receivedTimestamp": "2023-06-27T15:18:22.314Z"
}
Example Databricks query audit event
For details about the parameters in audit events, see the Audit service GraphQL reference guide.
{
"action": "QUERY",
"actor": {
"type": "USER_ACTOR",
"name": "Taylor",
"id": "taylor@immuta.com",
"identityProvider": "okta",
"impersonatedBy": null
},
"sessionId": "abc123456589",
"actionStatus": "SUCCESS",
"actionStatusReason": null,
"actorIp": "1.2.3.4",
"eventTimestamp": "2022-10-13T20:03:41.013Z",
"id": "abc123",
"customerId": "abc123",
"targetType": "DATASOURCE",
"targets": [{
"id": "4",
"name": "Movies",
"technology": "DATABRICKS"
}],
"auditPayload": {
"type": "QueryAuditPayload",
"queryId": "81fe4385-1329-444a-b6d9-b26bce5c8dc7",
"query": "Project [director#778904]\n+- Filter ((YEAR#778903L = 1999) OR (YEAR#778903L = 2000))\n +- Relation[movie_id#778901L,Title#778902,Year#778903L,Director#778904,Budget_million#778905,Gross_worldwide#778906L] parquet\n",
"startTime": "2022-10-13T20:03:41.013Z",
"endTime": null,
"duration": null,
"accessControls": {
"entitlements": {
"groups": [],
"attributes": []
},
"policySet": [{
"type": "SUBSCRIPTION",
"global": false,
"subscriptionPolicyType": "MANUAL",
"ruleAppliedForUser": true
}]
},
"technologyContext": {
"type": "DatabricksContext",
"clusterId": "1006-194110-8j0shd5d",
"clusterName": "databricks-cluster-name",
"workspaceId": "123456789",
"pathUris": [
"dbfs:/user/hive/warehouse/your_database.db/movies"
],
"metastoreTables": ["your_database.movies"],
"queryLanguage": "python",
"queryText": "query_success = []\nnum_queries_run = 0\nimpersonate_probability = .20\nspark.sql(\"set immuta.impersonate.user=\")\n\ndef make_fail_query(query):\n try:\n spark.sql(\"set immuta.impersonate.user=taylor@databricks.com\")\n spark.sql(query).toPandas()\n except: \n pass\n \nfor index, query in enumerate(new_queries.values):\n if(num_queries_run % 100 == 0):\n print(f\"Queries Successfully Ran: {num_queries_run}/2000, out of total queries ran: {index+1}\")\n to_impersonate = random.randrange(100)\n if to_impersonate < impersonate_probability * 100:\n make_fail_query(query)\n spark.sql(\"set immuta.impersonate.user=\")\n num_queries_run += 1\n else:\n try:\n spark.sql(query).toPandas()\n query_success.append((query, True))\n num_queries_run += 1\n if num_queries_run == 2000:\n break\n except Exception as e:\n query_success.append((query, False))\n \n ",
"immutaPluginVersion": "2022.3.0-spark-3.1.1"
}
},
"receivedTimestamp": "2022-10-13T20:03:41.044Z"
}