Snowflake¶
About¶
Snowflake enables data storage, processing, and analytic solutions that are faster, easier to use, and far more flexible than traditional offerings.
Product Details¶
Vendor URL: Snowflake
Product Type: Database Management
Product Tier: Tier II
Integration Method: Snowflake - Cyderes Documentation
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: SNOWFLAKE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| message, "QUERY", "ACCESS HISTORY" | metadata.description |
| START_TIME, QUERY_START_TIME, timestamp | metadata.event_timestamp |
| "Snowflake" | metadata.vendor_name |
| "Snowflake" | metadata.product_name |
| task, QUERY_TYPE | metadata.product_event_type |
| QUERY_ID | metadata.product_log_id |
| RELEASE_VERSION | metadata.product_version |
| ROLE_NAME | principal.user.attribute.roles |
| SESSION_ID | network.session_id |
| objectName | src.application |
| objectName | target.application |
| DATABASE_NAME | target.resource.name |
| DATABASE_ID | target.resource.product_object_id |
| "DATABASE" | target.resource.resource_type |
| USER_NAME | target.user.userid |
| EXECUTION_STATUS, message_type | security_result.action_details |
| base_objects_accessed_column_name | security_result.detection_fields.labels |
| direct_objects_accessed_column_name | security_result.detection_fields.labels |
| objects_modified_column_name | security_result.detection_fields.labels |
| QUERY_TEXT, message | security_result.summary |
| BYTES_SCANNED | additional.fields |
| BYTES_WRITTEN | additional.fields |
| SCHEMA_ID | additional.fields |
| SCHEMA_NAME | additional.fields |
| WAREHOUSE_ID | additional.fields |
| WAREHOUSE_NAME | additional.fields |
| WAREHOUSE_SIZE | additional.fields |
| WAREHOUSE_TYPE | additional.fields |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| All | All events | GENERIC_EVENT |
Log Sample¶
{"BASE_OBJECTS_ACCESSED":[{"columns":[{"columnId":1,"columnName":"bCOL_NAME"}],"objectDomain":"Table","objectId":id,"objectName":"DATAHUB_DEV"}],"DIRECT_OBJECTS_ACCESSED":[{"columns":[{"columnId":1,"columnName":"dCOL_NAME"}],"objectDomain":"Table","objectId":id,"objectName":"DATAHUB_DEV"}],"OBJECTS_MODIFIED":[{"objectDomain":"Stage","objectId":id,"objectName":"om_name","stageKind":"Internal Named"}],"QUERY_ID":"queryID","QUERY_START_TIME":"2022-06-23 03:00:04.697 -0700","USER_NAME":"userName"}
Sample Parsing¶
metadata.product_log_id = "queryID"
metadata.event_timestamp = 1655978404
metadata.event_type = GENERIC_EVENT
metadata.vendor_name = "Snowflake"
metadata.product_name = "Snowflake"
metadata.description = "ACCESS_HISTORY"
src.application = "DATAHUB_DEV"
target.user.userid = "userName"
target.application = "om_name"
target.resource.resource_type = "DATABASE"
security_result.detection_fields.key = "base_objects_accessed_column_name"
security_result.detection_fields.value = "bCOL_NAME"
security_result.detection_fields.key = "direct_objects_accessed_column_name"
security_result.detection_fields.value = "dCOL_NAME"
Parser Alerting¶
This product currently does not have any Parser-based Alerting