Knowledge BaseCommunityRelease NotesTraining VideosRequest Demo
Search
K
Links

Snowflake Integration

Overview

Panther is configured to write processed log data to an AWS-based Snowflake database cluster.
Integrating Panther with Snowflake enables Panther data to be used with your Business Intelligence tools to make dashboards tailored to your operations. In addition, you can join Panther alerts to your business data, allowing you to assess your security posture.
Panther uses Snowpipe to copy the data into your Snowflake cluster.

Snowflake integration options

  • Panther-managed
    • For SaaS customers, a Snowflake instance is automatically provisioned, set up, and maintained by Panther.
  • Snowflake Connected
    • If you are an existing Snowflake customer, Panther can be configured to use one of your own Snowflake accounts.
  • Legacy customer-configured
    • In this configuration, Panther has no access and requires a Database Administrator to run commands on our behalf. This option is no longer offered to new customers.

Panther-managed Snowflake

Panther-managed Snowflake means that a Snowflake instance is automatically provisioned and Panther takes care of setup and maintenance for you. This option is also known simply as "Managed Snowflake." Learn about how Panther configures Snowflake instances on Snowflake Configuration for Optimal Search Performance.
If you wish to share data between your Panther-managed Snowflake account and your own internal Snowflake account, please contact your Panther support team.
If you wish to access your Panther-managed Snowflake data for Business Intelligence (BI) reporting but do not have your own corporate Snowflake account, please contact your Panther support team and request a BI user for read-only access.

Migrating from Panther-managed to Snowflake Connected

If you have a Panther-managed Snowflake instance, it is possible to assume ownership of it, turning it into a Snowflake Connected instance.
To do so, follow these instructions:
  1. 1.
    Notify your Panther support team that you'd like to assume ownership of your Panther-managed Snowflake account.
  2. 2.
    After receiving a prewritten message from your Panther support team, send it to your Snowflake team. The message will:
    • Request the Snowflake account be transferred to your organization
    • Include important information about your Snowflake account
  3. 3.
    When the account has been successfully transferred, notify your Panther support team.
    • Panther will provide you with login credentials to the Snowflake account.
    • When you log into Snowflake, you will see the transferred instance within your organization account.

Snowflake Connected

If you are an existing Snowflake customer, Panther can be configured to use one of your own Snowflake accounts. This option has also been known as "Customer-configured Snowflake" or "Bring Your Own Snowflake (BYOSF)". See recommendations for how to configure your Snowflake instance on Snowflake Configuration for Optimal Search Performance.
In Snowflake, it is possible to share table access. This allows your business data and security data to be queried in Panther (via the PANTHER_READ_ONLY role).
When you manage your own Snowflake instance, you can create tables and views with data ingested by Panther. Do not place these custom objects inside Panther databases. Unexpected tables and views will cause errors. Instead, create them in non-Panther databases, and share them with Panther.
Do not create users or any other database objects with the prefix PANTHER_.
Follow these steps to create a new Snowflake account for Panther:
  1. 1.
    Create a new dedicated Snowflake account for Panther using the example template below.
    • To minimize latency, your Panther deployment and Snowflake instance should reside in the same AWS region.
      USE ROLE ORGADMIN;
      CREATE ACCOUNT <YOUR_PANTHER_ACCOUNT_NAME> # the account_name is up to your discretion but we recommend your Panther account name
      ADMIN_NAME = <YOUR_ADMIN_NAME>
      ADMIN_PASSWORD = '<YOUR ADMIN PASSWORD>' # we recommend at least 32 characters
      EMAIL = '<your snowflake DBA email>'
      MUST_CHANGE_PASSWORD = FALSE
      EDITION = <YOUR_EDITION> # STANDARD, ENTERPRISE or BUSINESS_CRITICAL
      REGION = <YOUR_REGION> # i.e. aws_us_west_2
      COMMENT = 'Panther Snowflake BYOSF Production Environment';
  2. 2.
    In the new account, create a Panther Account Administrator user and grant it administrative privileges using the following commands:
    USE ROLE SECURITYADMIN;
    CREATE USER IF NOT EXISTS pantheraccountadmin password='<panther_credential>';
    GRANT ROLE SYSADMIN
    TO USER pantheraccountadmin;
    GRANT ROLE SECURITYADMIN
    TO USER pantheraccountadmin;
    GRANT ROLE ACCOUNTADMIN
    TO USER pantheraccountadmin;
    ALTER USER pantheraccountadmin SET DEFAULT_ROLE = SYSADMIN;
  3. 3.
    Obtain the Snowflake Account URL and share it with Panther Support. This step ensures that you connect to the correct account.
    • The URL should be in this format: <org-name>-<account-name>.snowflakecomputing.com
The Panther support team will provide you with a unique one-time credential over a secure channel to use for this account. Panther will regularly rotate this credential in the future, so you are advised to maintain a separate administrative user for your own administrative needs.
Panther will automatically configure and maintain the account for you using our automated tooling. We will manage integrations, databases, warehouses, and users and roles in the new account.

Creating read-only roles for Panther data tables

If you would like to create and maintain several users with read-only access to the Panther data lake tables, you can use the PANTHERACCOUNTADMIN user or another SECURITYADMIN enabled user on your Snowflake account to run the following commands:
USE ROLE SECURITYADMIN;
# If needed, create a new user
CREATE USER IF NOT EXISTS my_readonly_user
PASSWORD = '<INITIAL PASSWORD>'
MUST_CHANGE_PASSWORD = TRUE;
# Grant the PANTHER_READONLY_ROLE to the newly created user
GRANT ROLE PANTHER_READONLY_ROLE TO USER my_readonly_user;

Disabling and Reenabling the Panther Account Admin User (Optional)

Panther maintains the PANTHERACCOUNTADMIN user credentials in a secure location, and will rotate them at a regular cadence in addition to using the credentials to rotate RSA keys used for read-only and database management access.
You can choose to disable this user from within the account, however, we do not recommend doing this as it will prevent Panther from performing credential rotation:
USE ROLE SECURITYADMIN;
ALTER USER PANTHERACCOUNTADMIN SET DISABLED = TRUE
If a Panther upgrade requires privileged access, the user can then be temporarily re-enabled:
USE ROLE SECURITYADMIN;
ALTER USER PANTHERACCOUNTADMIN SET DISABLED = FALSE

Legacy Customer-configured Snowflake Integration

For information on the legacy customer-configured Snowflake integration, see Legacy Customer-configured Snowflake Integration.
Previous
Preparing for Initial Cloud Connected Deployment
Next
Legacy Customer-configured Snowflake Integration
Last modified 2d ago