Snowflake

Snowflake Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.8
Author	Microsoft - support@microsoft.com
First Published	2021-10-23
Last Updated	2026-02-04
Solution Folder	Snowflake
Marketplace	Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (2 ratings) · Popularity: 🟢 High (97%)

The Snowflake CCF data connector provides the capability to ingest Snowflake Login History Logs, Query History Logs, User-Grant Logs, Role-Grant Logs, Load History Logs, Materialized View Refresh History Logs, Roles Logs, Tables Logs, Table Storage Metrics Logs, Users Logs into Microsoft Sentinel using the Snowflake SQL API. Refer to Snowflake SQL API documentation for more information.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

• Microsoft Sentinel Codeless Connector Framework

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s) (plus 1 discovered⚠️):

[DEPRECATED] Snowflake ⚠️ 🔶
Snowflake (via Codeless Connector Framework)

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 11 table(s):

Table	Used By Connectors	Used By Content
`SnowflakeLoad_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeLogin_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeMaterializedView_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeQuery_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeRoleGrant_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeRoles_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeTableStorageMetrics_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeTables_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeUserGrant_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`SnowflakeUsers_CL`	Snowflake (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`Snowflake_CL` 🔶	[DEPRECATED] Snowflake	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 22 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Snowflake - Abnormal query process time	Medium	Impact	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Multiple failed queries	High	Discovery	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Multiple login failures by user	High	InitialAccess	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Multiple login failures from single IP	High	InitialAccess	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Possible data destraction	Medium	Impact	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Possible discovery activity	Medium	Discovery	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Possible privileges discovery activity	Medium	Discovery	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Query on sensitive or restricted table	Medium	Collection	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Unusual query	Medium	Collection	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - User granted admin privileges	Medium	PrivilegeEscalation	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`

Hunting Queries

Name	Tactics	Tables Used
Snowflake - Credit consuming queries	Impact	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Deleted databases	Impact	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Deleted tables	Impact	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Failed logins	InitialAccess	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Privileged users' source IP addresses	InitialAccess	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Rarely used account	InitialAccess	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Rarely used privileged users	InitialAccess	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Time consuming queries	Impact	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Unknown query type	Impact	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`
Snowflake - Users' source IP addresses	InitialAccess	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`

Workbooks

Name	Tables Used
Snowflake	`SnowflakeLoad_CL` `SnowflakeLogin_CL` `SnowflakeMaterializedView_CL` `SnowflakeQuery_CL` `SnowflakeRoleGrant_CL` `SnowflakeRoles_CL` `SnowflakeTableStorageMetrics_CL` `SnowflakeTables_CL` `SnowflakeUserGrant_CL` `SnowflakeUsers_CL` `Snowflake_CL`

Parsers

Name	Description	Tables Used
Snowflake	-	`SnowflakeLoad_CL` (read) `SnowflakeLogin_CL` (read) `SnowflakeMaterializedView_CL` (read) `SnowflakeQuery_CL` (read) `SnowflakeRoleGrant_CL` (read) `SnowflakeRoles_CL` (read) `SnowflakeTableStorageMetrics_CL` (read) `SnowflakeTables_CL` (read) `SnowflakeUserGrant_CL` (read) `SnowflakeUsers_CL` (read) `Snowflake_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.9	03-02-2026	Updated the analytic rule query.
3.0.8	22-12-2025	Added a 120‑minute ingestion delay for the Snowflake connector and updated the parser KQL to surface accurate start/end timestamps.
3.0.7	10-12-2025	Resolved bug in CCF Data Connector related to Output stream for Snowflake tables.
3.0.6	20-11-2025	Resolved bug in CCF Data Connector related to SQL queries
3.0.5	13-10-2025	Updated Parser to support function app table
3.0.4	23-09-2025	Updated parser to extend the normalized fields, and updated Analytic Rules, Workbooks to use CCF connector fields.
3.0.3	09-09-2025	Updated DCR and Poller to prevent redundant data ingestion, improve pagination and handle connection interruptions for Snowflake CCF connector
3.0.2	20-08-2025	Moving Snowflake CCF Data Connector to GA.
3.0.1	26-05-2025	Migrated the Function app connector to CCP Data Connector and Updated Parser
3.0.0	31-08-2023	Manual deployment instructions updated for Data Connector & Convert Parser from text to Yaml