If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The goal of this guide is to add a new CC Snowflake Cloud App Connector to your CC Platform, for augmentation of Snowflake with Exabeam AA capabilities or for use as a data source for internal snowflake activity.
If you're using Exabeam Snowflake Cloud Connector for Augmentation and planning to pull logs and events from multiple datasets, it's highly recommended to create a separate warehouse for this purpose so you can easily understand the costs which are attached to the integration. Usually, the smallest warehouse would be sufficient to start with (X-Small).
Note: The Snowflake Augmentation use-case is in Early Access stage. Please contact Exabeam Support for details.
Prerequisites
Authentication:
The snowflake connector uses the JDBC driver to connect to the snowflake database server. Exabeam cloud connector supports 2 (two) authentication methods for Snowflake: Basic Authentication and JWT authentication.
The following information is needed for both authentication methods:
- Full account name: Specifies the full name of your account (provided by Snowflake). Note that your full account name might include additional segments that identify the region and cloud platform where your account is hosted. You can figure the account name from your Snowflake URL on your browser. For example if your URL is
https://xy12345.us-east-1.snowflakecomputing.com then your account name for configuring the connector will be xy12345.us-east-1. - Username: Specifies the login name of a user created in the above snowflake account. It is highly recommended to create a unique user for Exabeam integration purposes.
This user needs to have read permissions to all the datasets which are required to be pulled.
For Basic Authentication
- Password: Specifies the password for the specified user.
For JWT Authentication
- JWT token: Please follow this guide to create a JWT token.
Once you have the JWT token, you can use it to configure the connector.
Snowflake Audit
For every database found, LOGIN_HISTORY and QUERY_HISTORY endpoints would be created
Views/Tables
An endpoint is created for every table and view found in each of the databases. A valid table or view is one with only two columns. One timestamp column (TIMESTAMP_LTZ , TIMESTAMP_NTZ , TIMESTAMP_TZ) and one textual data column (VARIANT/VARCHAR). The Snowflake connector query by time, hence, the timestamp column should hold a 'real' value. Please consult with Snowflake support in order to minimize computation costs. Starting an endpoint of a table or a view not satisfying the above requirements would result in failure to sync.
On-boarding steps
- Login to your SkyFormation Platform
- Navigate via left navigation panel to "Settings" section
- Navigate via New Settings left navigation panel to "Accounts" section
-
Click the "Add Account" bottom
- At the "SELECT SERVICE TO ADD" choose "Snowflake"
- Based on your preferred authentication method, fill in the information in the prerequisites step above.
-
-
- Tenant (relevant only for the multi-tenant CC edition)
Choose the tenant the new connector will be attached to. - Account Name
Give the custom connector a meaningful name for you.
This will become your application connector name displayed in the CC platform and added to entire events sent to your SIEM system from this connector as an identifier. - Description
Add any text that describes the specific application and meaning for the business. - Full account name
The full snowflake account name in the prerequisites steps above. - Username
Username in the prerequisites steps above. - Password/JWT token
password/JWT token in the prerequisites steps above. - Warehouse
Choose the warehouse you would like the connector to use as the default when sending queries.
- Tenant (relevant only for the multi-tenant CC edition)
-
-
-
Test the correctness of the settings
Press the "TEST CONNECTION" button
If you see a green OK sign appears as above you have completed the onboarding successfully.
- Click the "SAVE" button.
-
Start the new connector
When a new cloud connector is added its default state is STOPPED.
To start it press its START button. - After a few seconds, click on the "STATUS" button. You will see a list of all the datasets which the connector discovered. You can decide which of these datasets to activate (the connector will periodically pull the data from), and which ones will be disabled.
NOTE: As snowflake charges for every query, there is a cost/performance tradeoff
between how real time the solution would be vs. how much it would cost.
By default, Exabeam Cloud Connector for Snowflake would issue a query once every 5 minutes.
If you would like to change the sync frequency for a specific dataset/endpoint, please
follow this guide.
For more information about Snowflake pricing please see here.
DONE !
Comments
0 comments
Please sign in to leave a comment.