Audit Logging
The following table outlines the expected near-real delivery times for ALTR’s audit logs:
Audit Log | Expected Delivery Time |
|---|---|
Query audit | 60 seconds maximum once query has completed |
Custom audit | 60 seconds maximum from when the custom audit API is triggered |
ALTR introduces a maximum of 60 seconds of buffering. Any additional time spent is either preparing or delivering the audit. This buffering period is overridden if the size exceeds the maximum limit of 64MB.
ALTR monitors audit logs and if the expected delivery time exceeds 5 minutes, our Cloud Operation teams are alerted.
ALTR's query audit log maintains a record of all access to sensitive data protected by ALTR. The log shows all query audit log entries from the last 24 hours with details on what database objects were impacted by the query log.
When a user or application runs a query on an ALTR-connected column or tag, ALTR logs key details, including who ran the query, what sensitive data was accessed, how much was accessed, and which access policies have been applied. The log details vary based on the query type and data source.
Query audit log entries are available in near-real time, typically seconds or minutes after a query is complete and all required information regarding that query is available in the connected data source. To see log entries from the last 24 hours, navigate to the Query Log page and click Refresh.
Caution
For Snowflake data sources, ALTR's service user must have the MONITOR grant for the warehouse used to execute the query; otherwise, a query audit log entry will not be generated.
To view the query audit log, click Audit Logs in the Navigation menu or view it in ALTR's Amazon S3 Log Export. Expand a log entry to view additional information, including the ability to view the raw JSON object. While a lot of useful information displays in the log entry, the raw JSON object shows the complete log details.
Once a query is executed, log entries take a few seconds to display on this page. Click Refresh to pick up new query audit log entries from the last 24 hours. .
Redaction of Sensitive Data
ALTR redacts any potentially sensitive data from query audit log entries to protect sensitive information, such as name and SSN. This ensures that logs remain useful while ensuring the privacy of sensitive data.
Strings are replaced with
'literal_string'Integers are replaced with a randomly generated number (0-9)
Click Filter on the query log to filter log entries in order to locate an entry or set of entries. Filters are case-insensitive and use exact matching.
When filtering:
use one value per filter
a time window is required. By default, the Completion Before date is set to the current date and the Completion After date is set to 7 days from the current date
It may be helpful to copy the full query text or the query ID (which is the Snowflake query ID) if you need to
find the query in Snowflake
contact ALTR Support because you have an issue with a query
To copy the query ID or query text:
Select Audit Logs in the Navigation menu.
Locate the query log entry.
Click Query Text or Query ID; a pop-up modal displays to reveal the full query text / query ID.
Click Copy.
System Audit Logs enable ALTR administrators to track major administrative actions taken in the ALTR platform.
ALTR provides the following system audit logs that track specific actions taken by users in ALTR:
System Audit Log | Event Tracked |
|---|---|
Administrators | Create, remove and update administrators |
Alerts | Edit and resolve alerts |
API Keys | Create, remove and update API keys |
Applications | Create, remove and update applications |
Data | Connect, disconnect and update columns |
Data Sources | Connect, disconnect and update data sources |
Locks | Create, remove and update column access policies NoteLocks are part of the former policy user interface. This system audit has been depreciated. |
Policy | Create, delete and update policies: tag, column and row. |
Thresholds | Create, remove and update thresholds NoteThresholds are part of the former policy user interface. This system audit has been depreciated. |
User Groups | Create, remove and update user groups |
View System Audit Logs
To view system audit logs:
Select → in the Navigation menu.
Click one of system audit log tabs.
Export System Audit Log to AWS
You are able to integrate ALTR with AWS to export your system audit logs to an S3 bucket. Learn more.
Custom Audit Logs enable you to extend ALTR's logging to include custom events, enabling bespoke logging and reporting use cases. For instance, custom audit logs can be used to track login events for a particular data source.
Caution
Be sure to sanitize your data before using custom audits. ALTR does not treat (i.e., remove or destroy) sensitive data sent through custom audits.
How to Configure and Use Custom Audit Logs
Custom audit logs are triggered by sending event information from a Snowflake user-defined function to a Snowflake external function. See ALTR's Snowflake Integration documentation for more information on how ALTR integrates with Snowflake. These functions are created automatically for newly connected Snowflake accounts. If your Snowflake account was connected to ALTR prior to January 2024, please contact support@altr.com for instructions to configure custom audit logs.
Events can be submitted to ALTR manually through SQL or automatically though processes such as Snowflake tasks. Submitting events to ALTR involves calling the user-defined function with a batch of records. ALTR requires certain information for each event, including:
Event Type—a customer-defined event and is used to distinguish between different kinds of events
Content Type—ALTR currently supports "application/json"
Event Details—a JSON object describing the event. It can include any information relevant to your use case
Optionally, customers can send an event time. The format of this timestamp is milliseconds from epoch. If an event time is not specified, ALTR will use the time the event was submitted.
There is a 256kb limit to the size of custom audit submissions. If you have more than 256kb worth of data to send, consider breaking the information down into smaller requests.
Accessing Custom Audit Logs
Custom Audit Logs are accessible via ALTR’s Amazon S3 Log Export. To enable exporting of custom audit logs to an S3 bucket, contact ALTR Support.
ALTR indexes events in S3 based on the event time. This is typically the customer-supplied time, if available. If a customer-supplied time is not provided or the customer-supplied time is more than 3 days in the past, events are indexed based on when they were submitted to ALTR.
Example SQL for Submitting Custom Audit Logs
Below is example SQL for a Snowflake Task that records events from Snowflake’s Login History every hour. See Snowflake’s documentation for more information on using tasks.
CREATE OR REPLACE TASK LOGIN_AUDIT_TASK
SCHEDULE = '60 MINUTE'
AS
SELECT "ALTR_DSAAS_DB"."{YOUR_SCHEMA_NAME}"."{YOUR_FUNCTION_NAME}"(select ARRAY_AGG("event_details") WITHIN GROUP (ORDER BY "event_details" ASC) as "audit_array" from (select TO_JSON(OBJECT_CONSTRUCT_KEEP_NULL( 'event_details', "custom_audit_blob", 'event_time', "event_time", 'content_type', "content_type", 'event_type', "event_type")) as "event_details" from (SELECT (TO_VARIANT(OBJECT_CONSTRUCT_KEEP_NULL(
'event_type', event_type,
'user_name', user_name,
'client_ip', client_ip,
'first_authentication_factor', first_authentication_factor,
'second_authentication_factor', second_authentication_factor,
'is_success', is_success,
'error_code', error_code,
'error_message', error_message,
'event_time', event_timestamp
))) "custom_audit_blob",
date_part('EPOCH_MILLISECOND',audit_table.event_timestamp) as "event_time" ,
'LOGIN' as "event_type",
'application/json' as "content_type"
FROM TABLE(information_schema.login_history(TIME_RANGE_START => dateadd('hours', -1, CURRENT_TIMESTAMP()), CURRENT_TIMESTAMP())) audit_table
ORDER BY event_timestamp DESC)));
-- The query below starts the automated task
ALTER TASK LOGIN_AUDIT_TASK RESUME;
The Schema and Function name should be replaced with the schema and function automatically created by ALTR in your Snowflake account.
To find YOUR_SCHEMA_NAME and YOUR_FUNCTION_NAME:
Log into your ALTR account.
Select → in the Navigation menu.
Click the Organization ID tab.
Locate the ALTR Organization ID. Copy this ID and update the dashes (-) to underscores (_); this becomes YOUR_SCHEMA_NAME.
Note
Example: an ALTR Organization ID of 3f5d8e36-562a-4b63-8555-57bffc085496 should be modified to 3f5d8e36_562a_4b63_8555_57bffc085496.
Run the following SQL query to obtain the function name:
SHOW USER FUNCTIONS LIKE 'ALTR_CUSTOM_AUDIT_%' IN SCHEMA ALTR_DSAAS_DB.ALTR_DSAAS_<MODIFIED ORG ID>;
This command returns a single row that provides the full name of your custom audit function.