Guides

Features

Advanced

Audit Logs in ALTR

ALTR provides a variety of auditing capabilities to enable ALTR Administrators to understand what sensitive data is being queried, as well as what administrative actions are taken in the ALTR platform. These are the Query Audits and System Audits, respectively.

Query Audit Logs

ALTR maintains a log of all queries that accessed connected columns in Query Audits. These audits contain information concerning:

  1. Which user and role ran the query
  2. The time the query was executed
  3. What columns were accessed by the query
  4. How many values were returned by the query
  5. The query text, sanitized to remove potentially sensitive data (such as the content of WHERE clauses)

Query audits are generated after queries are executed in Snowflake by monitoring Snowflake Warehouse activity and logs. It may take several minutes for a query to appear in ALTR’s query log after the query executes.

System Audit Log

Audit keeps a log many major administrative actions in the ALTR platform, such as:

  1. Connecting and disconnecting databases
  2. Connecting and disconnecting columns
  3. Created, changing, and removing governance rules
  4. Editing administrator information
  5. Threshold/Anomaly Triggers

These actions, and many more, are logged in ALTR’s System Audit Log. The System Audit log contains the following information:

  1. The date an action took place
  2. The ALTR Administrator who took the action
  3. What action was taken

Note: If you are using ALTR’s Management API to perform configuration, any actions taken by the API are logged under the name of the ALTR administrator that created the API key.

Custom Audit Log

ALTR includes the capability to track user-defined events through the use of Custom Audit Logs. See our dedicated page for more information.

SIEM Exports of Audit Data

ALTR enables clients to export audit log data to an AWS S3 bucket which can then be ingested into logging tools or used to trigger notifications in external systems. For instance, you can use the System Audits generated whenever a threshold is triggered to send an email to relevant parties about the threshold violation, or you can include information regarding all queries on sensitive data into your organizations Splunk logs. Audit logs are partitioned in S3 based on event time.

Example S3 JSON Object for Query Audit Logs:

Copy Call Statement

Example S3 JSON Object for System Audit Logs:

Copy Call Statement

Example S3 JSON Object for Custom Audit Logs:

Copy Call Statement

Troubleshooting and FAQ

  1. I ran a query on a connected column, but I don’t see it in the Query Log
    ALTR monitors Snowflake Warehouse activity and logs to generate query audits, which may not be immediately available when the query executes. If there is no query activity after several minutes, ensure that the database connection is still healthy on the Data Sources Page. If problems persist, contact support@altr.com.
  2. I see System Audit activity for users who I know are not actively using the ALTR UI.
    Check to ensure that those users have not created Management API keys. ALTR treats actions taken by the Management API as being performed by the user who created the API keys. If that’s not the case, have those ALTR administrators immediately change their password and reach out to support@altr.com.

First section of content