Snowflake
Integration version: 1.0
Configure Snowflake integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://{your_instance}.snowflakecomputing.com | Yes | API root of the Snowflake instance. |
| Account | String | N/A | Yes | The name of the account configured with Snowflake. |
| Username | String | N/A | Yes | Username used to access Snowflake. |
| Private Key | Secret | N/A | Yes | Private key that is used for authentication. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, the integration verifies that the SSL certificate for the connection to the Snowflake server is valid. |
How to Authenticate in Integration
To use integration, you need to generate a private key and base64 encode it. For the private key generation, you need to use SnowSQL. For more information on using SnowSQL, see the Installing SnowSQL document available within the Snowflake documentation.
Integration relies on the Key-Pair Authentication. For more information, see the Using Key Pair Authentication document available within the Snowflake documentation.
Use Cases
- Enrich entities.
- Ingest alerts.
Actions
Ping
Description
Test connectivity to Snowflake with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
This action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Snowflake server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Snowflake server! Error is {0}".format(exception.stacktrace) |
General |
Execute Custom Query
Description
Execute a custom query in Snowflake.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query | String | N/A | Yes | Specify the query that needs to be executed in Snowflake. Note: The query shouldn't contain LIMIT keyword, because it's added automatically. Only single quotes are supported in the query. |
| Database | String | N/A | Yes | Specify the name of the database in which you want to execute the query. |
| Schema | String | N/A | No | Specify the name of the schema in which you want to execute the query. |
| Max Results To Return | Integer | 50 | No | Specify the number of results to return for the query. |
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"C_CUSTKEY": "60001",
"C_NAME": "Customer#000060001",
"C_ADDRESS": "9Ii4zQn9cX",
"C_NATIONKEY": "14",
"C_PHONE": "24-678-784-9652"
…………………..
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for a query (is_success=true): "Successfully executed query "{query}" in Snowflake." If no data is available for a query (is_success=true): "No results were found for the query "{query}" in Snowflake." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Execute Custom Query". Reason: {0}''.format(error.Stacktrace)" If "message" in the response is not the 202 status code: "Error executing action "Execute Custom Query". Reason: {0}''.format(message) |
General |
| Case Wall Table | Table Title: Results All Results |
General |
Execute Simple Query
Description
Execute a query based on parameters in Snowflake.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Database | String | N/A | Yes | Specify the name of the database in which you want to execute the query. |
| Table | String | N/A | Yes | Specify the name of the table in which you want to execute the query. |
| Schema | String | N/A | No | Specify the name of the schema in which you want to execute the query. |
| Where Filter | String | N/A | No | Specify the Where Filter for the query that needs to be executed. Note: You don't need to limit and sort. Also, you don't need to provide Where string in the payload. Only single quotes are supported in the query. |
| Fields To Return | CSV | * | No | Specify the fields to return. If nothing is provided the action returns all fields. Wildcard character is supported. |
| Sort Field | String | N/A | No | Specify the parameter that should be used for sorting. |
| Sort Order | DDL | ASC Possible Values:
|
No | Specify the order of sorting. |
| Max Results To Return | Integer | 50 | No | Specify the number of results to return. |
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"C_CUSTKEY": "60001",
"C_NAME": "Customer#000060001",
"C_ADDRESS": "9Ii4zQn9cX",
"C_NATIONKEY": "14",
"C_PHONE": "24-678-784-9652"
………………….
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for a query (is_success=true): "Successfully executed query "{query}" in Snowflake." If no data is available for a query (is_success=true): "No results were found for the query "{query}" in Snowflake." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Execute Simple Query". Reason: {0}''.format(error.Stacktrace) If "message" in the response and is not 202 status code: "Error executing action "Execute Simple Query". Reason: {0}''.format(message) |
General |
| Case Wall Table | Table Name: Results Table Columns: All of the columns from response |
General |