agent hive
Join the Waitlist

DATA OPS

Snowflake query-log PII exposure pager from Axiom access events

Watches Axiom for queries touching columns recently classified as PII and pages on-call via PagerDuty when a previously-safe column starts being read by broad audiences…

CategoryData Ops
Enginesim
Difficultyadvanced
Triggerschedule
Steps6
Setup~25 min

How it runs

The automated pipeline, trigger to output.

  • TriggerSchedule triggers access-window check
  • ActionPull Snowflake query-log events from AxiomAxiom
  • ActionRead current column classification from SnowflakeSnowflakeSnowflake
  • LogicIntersect newly-sensitive columns with risky reads and score
  • ActionOpen PagerDuty incident on threshold breachPagerDutyPagerDuty
  • OutputPost exposure summary to Slack data-security channelSlack

What it does

This workflow connects access behavior to classification drift. It pulls recent Snowflake query events from Axiom, cross-references which columns were read against the current PII classification, and detects when a column that just became sensitive is suddenly being queried widely or by automated accounts. When that happens it pages the on-call data-security engineer.

When to use it

Use it when the real risk is not just that a column became PII, but that sensitive data is being read by the wrong consumers before masking lands. It turns drift plus access into an actionable incident.

How it works

  1. 1A schedule triggers a check over the recent access window.
  2. 2The workflow queries Axiom for Snowflake query-log events, extracting accessed columns and consumer identities.
  3. 3It reads the current column classification from Snowflake's governance table.
  4. 4A logic step intersects newly-sensitive columns with broad or service-account reads and scores exposure.
  5. 5If exposure crosses the threshold, PagerDuty opens an incident with the column, consumers, and query count.
  6. 6A Slack summary is posted to the data-security channel for non-paging visibility.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect AxiomLog streams, queries, dashboards.
  2. 2
    Connect SnowflakeWarehouses, queries, shares.
  3. 3
    Connect PagerDutyIncidents, on-call, escalations.
  4. 4
    Connect SlackChannels, DMs, threads, mentions.
  5. 5
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  6. 6
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  7. 7
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More Data Ops workflows

BigQuery Per-Team Budget Breach Alert to PagerDuty

Tracks month-to-date BigQuery scheduled-query spend per team and, when a team crosses its monthly budget, pages the team's on-call in PagerDuty and snapshots the spend breakdown…

dbt orphan model detector with Linear cleanup tickets

Scans your dbt manifest for models that no other model, exposure, or BI tool consumes.

Weekly BigQuery Cost Trend Sheet and Exec Digest

Compiles week-over-week BigQuery scheduled-query cost by owner and dataset into a Google Sheet with trend columns.

Backfill Missing Owner Labels on BigQuery Scheduled Queries

Finds scheduled queries with no owner label, infers the likely owner from creator metadata and target-table lineage, proposes a label.

Daily BigQuery Scheduled-Query Cost Attribution to Owners

Each morning, totals the prior day's on-demand bytes-billed per scheduled query, maps each query to its owner from a label, and posts a per-owner cost leaderboard to Slack.

dbt source freshness watcher with severity-routed alerts

Checks Snowflake loaded-at timestamps against each dbt source's freshness SLA, then routes warnings to Slack and hard breaches to a PagerDuty incident so stale data never…

Browse all Data Ops

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows