Snowflake
Introduction
Snowflake is a fully managed, cloud-native data warehouse built to process structured and semi-structured data at massive scale. Its architecture separates storage from compute, enabling organisations to independently scale ingestion, analytics, machine learning, and reporting workloads without impacting performance.
Monitoring Snowflake with ThreatDefence extends security visibility beyond traditional infrastructure into cloud-hosted data platforms. By integrating Snowflake audit and usage telemetry into the ThreatDefence SIEM, security teams can detect suspicious behaviour such as anomalous login patterns, repeated authentication failures, privilege escalation, unusual query activity, and sensitive data access.
This document outlines how to configure Snowflake to export relevant logs and provide them to ThreatDefence for continuous monitoring and analysis.
Step 1 – Configure Snowflake Account Access
Follow the steps below to obtain the connection parameters required for ThreatDefence SIEM integration.
1. Create or Access Your Snowflake Account
Navigate to the Snowflake sign-up page.
Create a new account and select your preferred cloud provider (AWS, Azure, or GCP).
If an account already exists, select Sign in and log in.
2. Retrieve Account Connection Details
Click your profile avatar (top right corner).
Navigate to: Account → View account details
Open the Config File tab.
3. Select Connection Parameters
Within the Config File tab, select:
Warehouse: TARGET_WAREHOUSE
Database: SNOWFLAKE
Connection Method: Password
Record the configuration details displayed. These parameters are required for ThreatDefence to establish secure log collection from your Snowflake environment.
Step 2 – Provide Configuration Details to ThreatDefence
Once the Snowflake connection parameters have been retrieved, provide the configuration details recorded at Step 1 to ThreatDefence to enable SIEM integration:
USER
PASSWORD
ACCOUNT
WAREHOUSE
DATABASE
SCHEMA
Last updated