Snowflake

Overview

Panther uses Snowflake to store and search log data.

Integrating Panther with Snowflake enables Panther data to be used in your Business Intelligence tools to make dashboards tailored to you operations. You can also join Panther data (e.g., Panther alerts) to your business data, enabling assessment of your security posture with respect to your organization. For example, you can tally alerts by organizational division (e.g., Human Resources) or by infrastructure (e.g., development, test, or production).

Snowflake instances can be Panther-managed or customer-configured. Learn how Panther configures managed Snowflake instances (or take away recommendations for how to configure an instance you configure) on Snowflake Configuration for Optimal Search Performance. Note that certain Panther features are only available on an Enterprise Edition of Snowflake or higher.

Panther uses Snowpipe to copy the data into your Snowflake cluster.

Use additional data sets in Panther

Panther uses a panther_readonly Snowflake user to query data in Snowflake. By default, this user's role panther_readonly_role is only endowed with a minimal set of grants to enable it to access the data in the panther databases. However, if you wish to add your own preexisting datasets to your Data Explorer queries (such as HR data, in-house or vendor-provided allowlists/denylists) you can make that data accessible to the role with statements like the following:

GRANT USAGE
  ON DATABASE my_database_name
  TO ROLE panther_readonly_role;
GRANT USAGE
  ON SCHEMA my_database_name.my_schema_name
  TO ROLE panther_readonly_role;
GRANT SELECT
  ON TABLE  my_database_name.my_schema_name.my_table_name
  TO ROLE panther_readonly_role;

Note that the newly granted database, schema and table will not populate in the Panther sidebar, but you will be able to access it using regular SQL.

Snowflake health monitoring

Panther performs health checks in Snowflake for file loading and stage and Snowpipe health. By default, Panther executes these checks every 3 hours (or 180 minutes).

File loading into Snowflake

Using the Snowflake COPY_HISTORY() function, Panther monitors files added to Panther-owned database tables for loading errors. While errors are rare, they are immediately escalated to Panther staff when found. In this case, Panther staff work to fix the issue and manually re-stage the data so it can successfully load to your Snowflake account.

Stage and Snowpipe health

Panther manages all external stages and Snowpipes used in the process of loading data from S3 buckets into Snowflake tables. If the output of a SYSTEM$PIPE_STATUS function reveals that a Snowpipe has an executionState other than RUNNING, Panther automatically attempts to fix the pipe by performing one or more of the following actions:

• Recreating the affected pipe

• Recreating the underlying stage

• Refreshing the pipe

In most cases, when a pipe is fixed using the steps above, manually reloading the data is not required. (Panther verifies this by checking the file load metadata available for Snowflake tables.) Just like with copy failures, all stage and pipe failures are reported to Panther staff, who monitor if a fix is required.