Introducing SnowAlert Data Connectors
A year after its launch, the SnowAlert project is taking a big step forward with the release of Data Connectors. Within Snowflake, we’re collecting and correlating dozens of data sources to power our security program. Meanwhile, our open source approach to using Snowflake for high-fidelity, cost-effective security analytics has been embraced outside of Snowflake’s internal security team. Together with our growing community, we’ve realized that SnowAlert should make it fast and easy to get security data into Snowflake.
What data sources will SnowAlert support out of the box? We see activities, assets, and configurations as the three main data types needed for cloud security. SnowAlert Data Connectors will cover these three categories for all of the major cloud providers, SaaS solutions, and security products. In today’s release, we’ve included connectors for AWS CloudTrail, Azure Activity Logs, and Okta System Logs.
Both AWS and Azure log integrations leverage Snowflake’s powerful new “Streams and Tasks” feature. Building log collection using core Snowflake functionality ensures that once SnowAlert users configure the connection, heavy data loads will be fully handled by Snowflake. This approach bypasses the need to use a separate ETL solution for collecting third-party log data.
For data sources that require polling an API, such as Okta, the SnowAlert container periodically reaches out and downloads the data into Snowflake. Internally, we’re even collecting on-prem logs from firewalls by running a syslog server such as Fluentd or Logstash, both of which can write to an AWS S3 bucket- from where logs are easily piped into Snowflake.
An advantage of the Snowflake Security Analytics community aligning on a common set of data connectors is that we’re standardizing how security data is stored in Snowflake. That will accelerate the process of BI vendors and Independent Analytics Vendors (IAVs) building innovative security solutions for Snowflake customers.
Over the coming weeks and months, Snowflake’s security team will release connectors for a wide variety of security data sources ranging from AWS Config and ADP HR records to CrowdStrike and Palo Alto Networks firewall detection events. We hope that other security teams at Snowflake customers will find these Data Connectors useful, and contribute connectors for the benefit of all the community. Stay connected!
