Snowflake sample event message
The following sample events are from Snowflake database when you use the JDBC protocol.
Login History View event
In the following sample event message, the event indicates the results of a query that returns the login attempt details of the Snowflake users.
EVENT_ID: "1111111111111111xx" EVENT_TIMESTAMP: "2024-03-26 16:24:57.936"
EVENT_TYPE: "LOGIN" USER_NAME: "TEST" CLIENT_IP: "10.0.x.x"
REPORTED_CLIENT_TYPE: "JDBC_DRIVER" REPORTED_CLIENT_VERSION: "3.14.x"
FIRST_AUTHENTICATION_FACTOR: "PASSWORD" SECOND_AUTHENTICATION_FACTOR: "null"
IS_SUCCESS: "YES" ERROR_CODE: "null" ERROR_MESSAGE: "null" RELATED_EVENT_ID: "0" CONNECTION: "null
QRadar field name | Highlighted payload field name |
---|---|
Event ID | EVENT_TYPE + IS_SUCCESS [SUCCESS / (FAIL + ERROR_CODE)] Important: If the value of IS_SUCCESS is 'Yes', then the system appends
SUCCESS, else FAIL with an ERROR_CODE.
|
Username | USER_NAME |
Source IP | CLIENT_IP |
Device Time | EVENT_TIMESTAMP |
Query History View event
The following sample event message shows the results of a Snowflake query by different dimensions (time range, session, user, warehouse, and so on).
QUERY_ID: "11111111-1111-1111-1111-111111111111" QUERY_TEXT: "select max(SESSION_ID) from QUERY_HISTORY"
DATABASE_ID: "1" DATABASE_NAME:"SNOWFLAKE" SCHEMA_ID: "3" SCHEMA_NAME: "ACCOUNT_USAGE"
QUERY_TYPE: "SELECT" SESSION_ID: "1111111111111" USER_NAME: "TEST" ROLE_NAME:"ACCOUNTADMIN"
WAREHOUSE_ID: "1" WAREHOUSE_NAME: "COMPUTE_WH" WAREHOUSE_SIZE: "X-Small" WAREHOUSE_TYPE: "STANDARD"
CLUSTER_NUMBER:"1" QUERY_TAG: "" EXECUTION_STATUS: "SUCCESS" ERROR_CODE: "null" ERROR_MESSAGE: "null"
START_TIME: "2024-04-03 11:41:36.358" END_TIME: "2024-04-03 11:41:36.95" TOTAL_ELAPSED_TIME: "592"
BYTES_SCANNED: "35994112" PERCENTAGE_SCANNED_FROM_CACHE: "1.0"
BYTES_WRITTEN: "0" BYTES_WRITTEN_TO_RESULT: "306" BYTES_READ_FROM_RESULT: "0" ROWS_PRODUCED: "1"
ROWS_INSERTED: "0" ROWS_UPDATED: "0" ROWS_DELETED: "0" ROWS_UNLOADED: "0" BYTES_DELETED: "0"
PARTITIONS_SCANNED: "33" PARTITIONS_TOTAL: "196285" BYTES_SPILLED_TO_LOCAL_STORAGE: "0"
BYTES_SPILLED_TO_REMOTE_STORAGE: "0" BYTES_SENT_OVER_THE_NETWORK: "0" COMPILATION_TIME: "437"
EXECUTION_TIME: "155" QUEUED_PROVISIONING_TIME: "0" QUEUED_REPAIR_TIME: "0" QUEUED_OVERLOAD_TIME: "0"
TRANSACTION_BLOCKED_TIME: "0" OUTBOUND_DATA_TRANSFER_CLOUD: "null" OUTBOUND_DATA_TRANSFER_REGION: "null"
OUTBOUND_DATA_TRANSFER_BYTES: "0" INBOUND_DATA_TRANSFER_CLOUD: "null" INBOUND_DATA_TRANSFER_REGION: "null"
INBOUND_DATA_TRANSFER_BYTES: "0" LIST_EXTERNAL_FILES_TIME: "0" CREDITS_USED_CLOUD_SERVICES: "6.7E-5"
RELEASE_VERSION: "8.13.1" EXTERNAL_FUNCTION_TOTAL_INVOCATIONS: "0" EXTERNAL_FUNCTION_TOTAL_SENT_ROWS: "0"
EXTERNAL_FUNCTION_TOTAL_RECEIVED_ROWS: "0" EXTERNAL_FUNCTION_TOTAL_SENT_BYTES: "0"
EXTERNAL_FUNCTION_TOTAL_RECEIVED_BYTES: "0" QUERY_LOAD_PERCENT: "100" IS_CLIENT_GENERATED_STATEMENT: "false"
QUERY_ACCELERATION_BYTES_SCANNED: "0" QUERY_ACCELERATION_PARTITIONS_SCANNED: "0"
QUERY_ACCELERATION_UPPER_LIMIT_SCALE_FACTOR: "0" TRANSACTION_ID: "0" CHILD_QUERIES_WAIT_TIME: "0"
ROLE_TYPE: "ROLE" QUERY_HASH: "11111111111111111111111111111111" QUERY_HASH_VERSION:"2"
QUERY_PARAMETERIZED_HASH: "11111111111111111111111111111111" QUERY_PARAMETERIZED_HASH_VERSION: "1"
SECONDARY_ROLE_STATS:"{"roleNames":[],"roleCount":0,"roleIds":[]}" ROWS_WRITTEN_TO_RESULT: "1"
QUERY_RETRY_TIME: "null" QUERY_RETRY_CAUSE: "null" FAULT_HANDLING_TIME:"null"
QRadar field name | Highlighted payload field name |
---|---|
Event ID | QUERY_TYPE + EXECUTION_STATUS Important: If the status is FAIL, then append the ERROR_CODE.
|
Username | USER_NAME |
Device Time | START_TIME |
Snowalert event
The following sample event message shows the snow alert for a particular view. Snowalert is a security analytics framework that uses the Snowflake Cloud Data Platform to identify security incidents across diverse data sources and time ranges.
TABLE_CATALOG: "SNOWALERT" TABLE_SCHEMA: "DATA" TABLE_NAME: "DATA_CONNECTOR_RUN_ERRORS"
TABLE_OWNER: "ACCOUNTADMIN"VIEW_DEFINITION: "CREATE OR REPLACE VIEW data.data_connector_run_errors COPY GRANTS AS SELECT day ,
COUNT(DISTINCT SUBSTR(exc, 0, 50)) ASnum_distinct_exceptions ,
SUM(IFF(exc IS NOT NULL, 1, 0)) AS num_errors FROM ( SELECT slice_start::DATE AS day FROM TABLE(data.time_slices_before_t(30,60*60*24)) ) d
RIGHT OUTER JOIN ( SELECT v:START_TIME::DATE AS day , v:ERROR.EXCEPTION_ONLY AS exc FROM results.ingestion_metadata ) e
USING(day) GROUP BY day ORDER BY day DESC ;" CHECK_OPTION: "NONE" IS_UPDATABLE: "NO" INSERTABLE_INTO: "NO"
IS_SECURE: "NO" CREATED : "2024-02-2914:56:14.88" LAST_ALTERED: "2024-02-29 14:56:15.005"
LAST_DDL: "2024-02-29 14:56:14.88" LAST_DDL_BY: "TEST" COMMENT: "Errors recorded during DCruns"
QRadar field name | Highlighted payload field name |
---|---|
Event ID | TABLE_CATALOG + TABLE_NAME |
Username | LAST_DDL_BY |