Snowflake Integrated Into Query Federated Search

Snowflake Data Cloud

The Snowflake Data Cloud is a multi-cloud enterprise data warehouse and intelligence platform, billed as the AI Data Cloud. Snowflake supports big data, streaming, business intelligence (BI), machine learning (ML), and artificial intelligence (AI) workloads. In their own words: “Snowflake’s Data Cloud is powered by an advanced data platform provided as a self-managed service. Snowflake enables data storage, processing, and analytic solutions that are faster, easier to use, and far more flexible than traditional offerings.

The Snowflake data platform is not built on any existing database technology or “big data” software platforms such as Hadoop. Instead, Snowflake combines a completely new SQL query engine with an innovative architecture natively designed for the cloud. To the user, Snowflake provides all of the functionality of an enterprise analytic database, along with many additional special features and unique capabilities.”

Security and IT teams use Snowflake as a direct Security Information & Event Management (SIEM) replacement or as an alternative data store to expand SIEM use cases such as enrichment, big data analytics, machine learning (ML), artificial intelligence (AI), and detections. Like other warehouse and lake houses, Snowflake has a centralized metadata catalog which organizes the various “objects” such as Databases, Schemas, Stages, Tables, Views, and more. Security and IT teams typically ingest source-and-log-specific data into tables and create various views from them – which is where Query comes into play.

Query provides an easy-to-use interface to both search and model data stored within Snowflake. Query takes care of query planning, query translation, query execution, and windowing of results on top of the Python Snowflake SDK. You never have to write any SQL and Query ensures that all SQL that is submitted to the warehouse is as efficient as possible, meaning we will not blindly send an unlimited SELECT * FROM table across to your tables or views.

Using the Configure Schema no-code workflow, you can easily model data stored in Snowflake views, tables, and other objects into the Query Data Model, no matter what shape it is in. The Query Connector for Snowflake handles introspection, query authorship, query translation, search normalization, and windowing all on your behalf. This allows your Security Operations teams and other security personnel to worry more about security and less about data engineering tasks such as ETL, complex data modeling, and query writing in Worksheets.

Query is a read-only point solution that does not allow users to submit dangerous or overly broad SQL queries in your Snowflake warehouse. Only the data you request in your search is brought back from the tables or views that you configure within the Query federated search platform – this data is not replicated, it is simply presented back.

Security teams are increasingly becoming reliant on modern data warehousing and data lakehouse technologies to increase their data visibility and retention, in part due to the cheap storage costs in these platforms. However, that requires security teams to adopt SecDataOps practices which may be difficult to provide staffing and training for. Using Query Federated Search, you can immediately unlock the benefits of data in Snowflake for IR, Threat Hunting, Internal investigations teams, internal audit, compliance, and other security architecture and analyst teams. While Query does the heavy lifting for you, your team can continue to upskill and adapt their data architecture to meet the modern security needs of a data-heavy environment.

For more information see our documentation on the Snowflake integration here.