'Security tower wants Snowflake audit records in SIEM

Our Security group is asking for us to have Snowflake audit records ingested into our on prem SIEM by the end of the quarter. I've found the information_schema.login_history records but I'm struggling to find anything else that the SIEM might want (privilege usage, etc). Any tips on relevant views or functions would be appreciated.

snowflake-cloud-data-platform


Solution 1:[1]

some tables can be used to understand query & login attempts by Snowflake users along with various dimensions. For details take a look at:

https://docs.snowflake.net/manuals/sql-reference/functions/login_history.html https://docs.snowflake.net/manuals/sql-reference/functions/query_history.html

Solution 2:[2]

Here are some of the SNOWFLAKE ACCOUNT_USAGE SCHEMA QUERIES that may come handy.

Access_History ,Query_History will help to find out who and How the Snowflake DB is been accessed and Query History will show the queries executed ,Role ,Warehouse,start time ,end time etc.

Also try to login to Snowsight get the full lineage of a specific Role.

--TO FIND THE ACTIVE USERS IN THE ACCOUNT-- SELECT FIRST_NAME,LAST_NAME,DISPLAY_NAME from "SNOWFLAKE"."ACCOUNT_USAGE"."USERS" WHERE DELETED_ON IS NULL GROUP BY FIRST_NAME,LAST_NAME,DISPLAY_NAME ORDER BY FIRST_NAME DESC;

--TO FIND THE ACTIVE USERS AND ROLES IN THE ACCOUNT-- SELECT ROLE,GRANTEE_NAME,GRANTED_BY FROM "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_USERS" WHERE DELETED_ON IS NULL GROUP BY ROLE,GRANTEE_NAME,GRANTED_BY ORDER BY GRANTEE_NAME DESC;

--TO FIND THE ACTIVE GRANTS ON ROLES TO OBJECTS-- SELECT PRIVILEGE,TABLE_CATALOG,GRANTEE_NAME,GRANTED_BY FROM "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_ROLES" WHERE DELETED_ON IS NULL GROUP BY PRIVILEGE,TABLE_CATALOG,GRANTEE_NAME,GRANTED_BY ORDER BY TABLE_CATALOG;

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 FKayani
Solution 2 Raj Gajula

Related Questions

HHH000339: Could not obtain connection metadata net.snowflake.client.jdbc.SnowflakeLoggedFeatureNotSupportedException

Easter / Good Friday for Sowflake Date Dim

How to Connect with Dbeaver on Snowflake (DUO Push)

OperationalError: 250003: Failed to get the response. Hanging? method: post

How to parse the following JSON to retrieve the name of the item in snowflake sql?

converting string to date using TO_DATE for MM/DD/YY gives wrong values for dates before 1970 [snowflake-cloud-data-platform]

Execute Multiple SQL Insert Statements in parallel in Snowflake

Unpivot multiple columns in Snowflake

Translating an Excel concept into SQL

Error while working on Automation Grant Access to database views / tables in snowflake schema

Why isn't snowsql opening an external browser?

Snowpark connection errors with 0.6.0 jar

Snowflake-Jitterbit Connector Error: net.snowflake.client.jdbc.SnowflakeSQLException: No active warehouse selected in the current session

How to delete Duplicate records in snowflake database table

How to get count of tables present in a particular schema in snowflake?