Query Audit
Query Audit tracks all data access operations against the Data Catalog, providing a complete audit trail for governance and compliance. Audit policies define which operations are logged, who is notified, and how violations are recorded. The audit system integrates with the governance policy evaluator to capture both successful and denied access attempts.
Audit Rule Types
| Rule Type | Description |
|---|---|
LOG_ACCESS | Log all read operations on the entity |
LOG_MODIFICATION | Log all write operations (INSERT, UPDATE, DELETE) |
ALERT_ON_ACCESS | Send an alert when the entity is accessed |
Audit Policy Structure
Audit policies use the AUDIT policy type and attach to data entities through scope configuration.
| Field | Description |
|---|---|
policyType | Set to AUDIT |
scopeType | Scope of auditing (TABLE, DATABASE, CLASSIFICATION) |
scopeEntities | Specific entities to audit |
rules | List of audit rules defining what to log |
enforcementActions | Actions triggered on audit events |
Example Audit Policy
{
"name": "PII Access Audit",
"policyType": "AUDIT",
"scopeType": "CLASSIFICATION",
"scopeEntities": ["PII", "SENSITIVE"],
"enforcementMode": "MONITOR",
"rules": [
{
"name": "Log All Access",
"ruleType": "LOG_ACCESS",
"parameters": {},
"enabled": true,
"order": 1
},
{
"name": "Alert on Modification",
"ruleType": "ALERT_ON_ACCESS",
"parameters": {
"alertChannel": "security-team",
"severity": "HIGH"
},
"enabled": true,
"order": 2
}
],
"enforcementActions": [
{
"actionType": "LOG",
"parameters": {
"logLevel": "INFO",
"includeUserContext": true
},
"order": 1
},
{
"actionType": "NOTIFY",
"parameters": {
"recipients": ["data-stewards@company.com"],
"template": "audit-alert"
},
"order": 2
}
]
}Audit Log Fields
Each audit log entry captures the following information from the evaluation context.
| Field | Description |
|---|---|
entityId | UUID of the accessed entity |
entityFqn | Fully qualified name of the entity |
entityType | Type of entity (table, column, database) |
operationType | Operation performed (SELECT, INSERT, UPDATE, DELETE, EXPORT) |
userId | Authenticated user who performed the operation |
userRoles | Roles assigned to the user at time of access |
timestamp | Exact time of the access attempt |
classification | Classification level of the accessed data |
tags | Tags associated with the accessed entity |
Violation Tracking
The governance system records policy violations with severity levels and contextual details.
| Field | Description |
|---|---|
policyId | ID of the violated policy |
policyName | Human-readable name of the policy |
ruleId | Specific rule within the policy that was violated |
ruleType | Type of the violated rule |
message | Description of the violation |
severity | Violation severity (LOW, MEDIUM, HIGH, CRITICAL) |
context | Additional contextual details about the violation |
Retrieving Audit Data
Audit data is accessible through the governance API.
| Endpoint | Description |
|---|---|
GET /v1/governance/policies/violations/recent | Get recent violations for a tenant |
GET /v1/governance/policies/:policyId/violations | Get violations for a specific policy |
GET /v1/governance/policies/statistics | Get governance statistics including violation counts |
Enforcement Actions for Audit
| Action | Description |
|---|---|
LOG | Write an entry to the audit log |
ALERT | Send an alert to a monitoring channel |
NOTIFY | Send a notification to specified recipients |
TICKET | Create a support or incident ticket |
WEBHOOK | Call an external webhook with audit details |
WORKFLOW | Trigger an approval or review workflow |
Best Practices
- Enable
LOG_ACCESSon all tables classified as PII or SENSITIVE - Use
ALERT_ON_ACCESSfor high-sensitivity data that requires immediate attention - Set audit policies to
MONITORenforcement mode to avoid blocking legitimate queries - Review the violations dashboard regularly to identify unauthorized access patterns
- Combine audit policies with retention policies to manage audit log storage