Snowflake sample event message

The following sample events are from Snowflake database when you use the JDBC protocol.

Login History View event

In the following sample event message, the event indicates the results of a query that returns the login attempt details of the Snowflake users.

EVENT_ID: "1111111111111111xx" EVENT_TIMESTAMP: "2024-03-26 16:24:57.936" 
EVENT_TYPE: "LOGIN" USER_NAME: "TEST" CLIENT_IP: "10.0.x.x" 
REPORTED_CLIENT_TYPE: "JDBC_DRIVER" REPORTED_CLIENT_VERSION: "3.14.x" 
FIRST_AUTHENTICATION_FACTOR: "PASSWORD" SECOND_AUTHENTICATION_FACTOR: "null" 
IS_SUCCESS: "YES" ERROR_CODE: "null" ERROR_MESSAGE: "null" RELATED_EVENT_ID: "0" CONNECTION: "null
Table 1. Highlighted values in the Snowflake: Login History View sample event
QRadar field name Highlighted payload field name
Event ID EVENT_TYPE + IS_SUCCESS

[SUCCESS / (FAIL + ERROR_CODE)]

Important: If the value of IS_SUCCESS is 'Yes', then the system appends SUCCESS, else FAIL with an ERROR_CODE.
Username USER_NAME
Source IP CLIENT_IP
Device Time EVENT_TIMESTAMP

Query History View event

The following sample event message shows the results of a Snowflake query by different dimensions (time range, session, user, warehouse, and so on).

QUERY_ID: "11111111-1111-1111-1111-111111111111" QUERY_TEXT: "select max(SESSION_ID) from QUERY_HISTORY" 
DATABASE_ID: "1" DATABASE_NAME:"SNOWFLAKE" SCHEMA_ID: "3" SCHEMA_NAME: "ACCOUNT_USAGE" 
QUERY_TYPE: "SELECT" SESSION_ID: "1111111111111" USER_NAME: "TEST" ROLE_NAME:"ACCOUNTADMIN" 
WAREHOUSE_ID: "1" WAREHOUSE_NAME: "COMPUTE_WH" WAREHOUSE_SIZE: "X-Small" WAREHOUSE_TYPE: "STANDARD" 
CLUSTER_NUMBER:"1" QUERY_TAG: "" EXECUTION_STATUS: "SUCCESS" ERROR_CODE: "null" ERROR_MESSAGE: "null" 
START_TIME: "2024-04-03 11:41:36.358" END_TIME: "2024-04-03 11:41:36.95" TOTAL_ELAPSED_TIME: "592" 
BYTES_SCANNED: "35994112" PERCENTAGE_SCANNED_FROM_CACHE: "1.0" 
BYTES_WRITTEN: "0" BYTES_WRITTEN_TO_RESULT: "306" BYTES_READ_FROM_RESULT: "0" ROWS_PRODUCED: "1" 
ROWS_INSERTED: "0" ROWS_UPDATED: "0" ROWS_DELETED: "0" ROWS_UNLOADED: "0" BYTES_DELETED: "0" 
PARTITIONS_SCANNED: "33" PARTITIONS_TOTAL: "196285" BYTES_SPILLED_TO_LOCAL_STORAGE: "0"
BYTES_SPILLED_TO_REMOTE_STORAGE: "0" BYTES_SENT_OVER_THE_NETWORK: "0" COMPILATION_TIME: "437" 
EXECUTION_TIME: "155" QUEUED_PROVISIONING_TIME: "0" QUEUED_REPAIR_TIME: "0" QUEUED_OVERLOAD_TIME: "0" 
TRANSACTION_BLOCKED_TIME: "0" OUTBOUND_DATA_TRANSFER_CLOUD: "null" OUTBOUND_DATA_TRANSFER_REGION: "null" 
OUTBOUND_DATA_TRANSFER_BYTES: "0" INBOUND_DATA_TRANSFER_CLOUD: "null" INBOUND_DATA_TRANSFER_REGION: "null" 
INBOUND_DATA_TRANSFER_BYTES: "0" LIST_EXTERNAL_FILES_TIME: "0" CREDITS_USED_CLOUD_SERVICES: "6.7E-5" 
RELEASE_VERSION: "8.13.1" EXTERNAL_FUNCTION_TOTAL_INVOCATIONS: "0" EXTERNAL_FUNCTION_TOTAL_SENT_ROWS: "0" 
EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS: "0" EXTERNAL_FUNCTION_TOTAL_SENT_BYTES: "0"
EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES: "0" QUERY_LOAD_PERCENT: "100" IS_CLIENT_GENERATED_STATEMENT: "false"
QUERY_ACCELERATION_BYTES_SCANNED: "0" QUERY_ACCELERATION_PARTITIONS_SCANNED: "0" 
QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR: "0" TRANSACTION_ID: "0" CHILD_QUERIES_WAIT_TIME: "0" 
ROLE_TYPE: "ROLE" QUERY_HASH: "11111111111111111111111111111111" QUERY_HASH_VERSION:"2" 
QUERY_PARAMETERIZED_HASH: "11111111111111111111111111111111" QUERY_PARAMETERIZED_HASH_VERSION: "1" 
SECONDARY_ROLE_STATS:"{"roleNames":[],"roleCount":0,"roleIds":[]}" ROWS_WRITTEN_TO_RESULT: "1" 
QUERY_RETRY_TIME: "null" QUERY_RETRY_CAUSE: "null" FAULT_HANDLING_TIME:"null"
Table 2. Highlighted values in the Snowflake: Query History View sample event
QRadar field name Highlighted payload field name
Event ID QUERY_TYPE + EXECUTION_STATUS
Important: If the status is FAIL, then append the ERROR_CODE.
Username USER_NAME
Device Time START_TIME

Snowalert event

The following sample event message shows the snow alert for a particular view. Snowalert is a security analytics framework that uses the Snowflake Cloud Data Platform to identify security incidents across diverse data sources and time ranges.

TABLE_CATALOG: "SNOWALERT" TABLE_SCHEMA: "DATA" TABLE_NAME: "DATA_CONNECTOR_RUN_ERRORS" 
TABLE_OWNER: "ACCOUNTADMIN"VIEW_DEFINITION: "CREATE OR REPLACE VIEW data.data_connector_run_errors COPY GRANTS AS SELECT day , 
COUNT(DISTINCT SUBSTR(exc, 0, 50)) ASnum_distinct_exceptions , 
SUM(IFF(exc IS NOT NULL, 1, 0)) AS num_errors FROM ( SELECT slice_start::DATE AS day FROM TABLE(data.time_slices_before_t(30,60*60*24)) ) d 
RIGHT OUTER JOIN ( SELECT v:START_TIME::DATE AS day , v:ERROR.EXCEPTION_ONLY AS exc FROM results.ingestion_metadata ) e 
USING(day) GROUP BY day ORDER BY day DESC ;" CHECK_OPTION: "NONE" IS_UPDATABLE: "NO" INSERTABLE_INTO: "NO" 
IS_SECURE: "NO" CREATED : "2024-02-2914:56:14.88" LAST_ALTERED: "2024-02-29 14:56:15.005" 
LAST_DDL: "2024-02-29 14:56:14.88" LAST_DDL_BY: "TEST" COMMENT: "Errors recorded during DCruns"
Table 3. Highlighted values in the Snowflake: Snowalert sample event
QRadar field name Highlighted payload field name
Event ID TABLE_CATALOG + TABLE_NAME
Username LAST_DDL_BY