Log Sources for Security Monitoring
Customers can monitor their Snowflake deployment for potential indicators of compromise by integrating Snowflake log sources with their Security Information and Event Monitoring (SIEM) solution. This guide documents the security identifiers and the Information Schema and Account Usage columns that Snowflake recommends customers monitor. In addition, this publication maps columns to the MITRE ATT&CK SaaS Matrix, an industry framework that helps security analysts implement detection and response controls that align to their organization's incident response procedures.
Security Identifiers and Views
| Security Identifier/View | Columns | Schema Location | Latency | MITRE ATT&CK |
|---|---|---|---|---|
APPLICABLE_ROLES | GRANTEEROLE_NAMEROLE_OWNERIS_GRANTABLE | INFORMATION_SCHEMA | n/a | T1060- Permission Group Discovery T1087 - Account Discovery |
STAGES | STAGE_NAMECREATEDLAST_ALTERED | INFORMATION_SCHEMA | n/a | T1213- Data Collection/ Exfiltration T1074 Data Staged |
USAGE_PRIVILEGES | GRANTORGRANTEEPRIVILEGE_TYPEIS_GRANTABLECREATED | INFORMATION_SCHEMA | n/a | T1078- Privilege Escalation |
OBJECT_PRIVILEGES | GRANTORGRANTEEPRIVILEGE_TYPEIS_GRANTABLECREATED | INFORMATION_SCHEMA | n/a | T1078- Privilege Escalation |
ACCESS_HISTORY | QUERY_IDQUERY_START_TIMEUSER_NAMEDIRECT_OBJECTS_ACCESSEDBASE_OBJECTS_ACCESSSED | ACCOUNT_USAGE | 3 hours | T1078- Valid Accounts |
COPY_HISTORY | All Applicable Columns | ACCOUNT_USAGE | 2 Hours | T1213- Data Collection T1074 - Data Staged |
DATA_TRANSFER_HISTORY | START_TIMEEND_TIMESOURCE_CLOUDSOURCE_REGIONTARGET_CLOUDTARGET_REGION | ACCOUNT_USAGE | 2 Hours | T1213- Data Collection T1074 - Data Staged |
GRANTS_TO_ROLES | CREATED_ONMODIFIED_ONPRIVILEGEGRANTED_ONNAMEGRANTED_TOGRANTEE_NAMEGRANT_OPTIONGRANTED_BYDELETED_ON | ACCOUNT_USAGE | 2 Hours | T1078- Privilege Escalation |
GRANTS_TO_USERS | CREATED_ONDELETED_ONROLEGRANTED_TOGRANTEE_NAMEGRANTED_BY | ACCOUNT_USAGE | 2 hours | T1078- Privilege Escalation |
LOGIN_HISTORY | EVENT_TIMESTAMPEVENT_TYPEUSER_NAMECLIENT_IPREPORTED_CLIENT_TYPEFIRST_AUTHENTICATION_FACTORSECOND_AUTHENTICATION_FACTORIS_SUCCESS | ACCOUNT_USAGE | 2 hours | T1078.004- Cloud Accounts |
MASKING_POLICIES | POLICY_NAMECREATEDLAST_ALTEREDDELETED | ACCOUNT_USAGE | 2 hours | T1080- Taint Shared Content TA0005 - Defense Evasion |
QUERY_HISTORY | All Applicable Columns | ACCOUNT_USAGE | 45 minutes | TA0003 - Persistence TA0003 - Valid Accounts |
ROLES | CREATED_ONDELETED_ONNAME | ACCOUNT_USAGE | 2 hours | TA0003 - Persistence |
ROW_ACCESS_POLICIES | POLICY_NAMECREATEDLAST_ALTEREDDELETED | ACCOUNT_USAGE | 2 hours | T1080- Taint Shared Content TA0005 - Defense Evasion |
SESSIONS | SESSION_IDCREATED_ONUSER_NAMEAUTHENTICATION_METHODLOGIN_EVENT_IDCLIENT_APPLICATION_VERSIONCLIENT_APPLICATION_IDCLIENT_ENVIORNMENTCLIENT_BUILD_IDCLIENT_VERSION | ACCOUNT_USAGE | 3 hours | TA0003 - Persistence T1550 - Use Alternate Authentication Material |
STAGES | STAGE_NAMECREATEDLAST_ALTEREDDELETED | ACCOUNT_USAGE | 2 hours | T1074 - Data Staged |
USERS | All Applicable Columns | ACCOUNT_USAGE | 2 hours | TA0003 - Persistence TA0003 - Valid Accounts |
DATABASES | DATABASE_NAMECREATEDLAST_ALTEREDDELETED | ACCOUNT_USAGE | 2 hours | T1074 - Data Staged |
TABLES | TABLE_OWNERCREATEDLAST_ALTEREDDELETED | ACCOUNT_USAGE | 2 hours | T1074 - Data Staged |