Panther can be configured to write processed log data to one or more AWS-based Snowflake database clusters. This allows you to join Panther processed data with your other data sources in Snowflake.
Integrating Panther with Snowflake enables Panther data to be used in your Business Intelligence tools to make dashboards tailored to you operations. In addition, you can join Panther data (e.g., Panther alerts) to your business data, enabling assessment of your security posture with respect to your organization.
For example, you can tally alerts by organizational division (e.g., Human Resources) or by infrastructure (e.g., Development, Test, Production).
Panther uses Snowpipe to copy the data into your Snowflake cluster.
In order to configure Panther, you need to get the
SNOWFLAKE_IAM_USER from Snowflake.
In a Snowflake SQL shell execute the below sql, replacing
myaccountid with your AWS account ID and
myaccountregion with the account's region:
You should see a response of:
In the above example, the
SNOWFLAKE_IAM_USER is the
deployments/panther_config.yml to add
arn:aws:iam::34318291XXXX:user/k7m2-s-v2st0722 the to Snowflake configuration:
# Snowflake (https://www.snowflake.com/) IntegrationSnowflake:# List of Snowflake cluster IAM ARNs which will ingest the output of Panther log processing.# If this list is non-empty, a file will be produced by `mage snowflake:snowpipe`# called './out/snowflake/showpipe.sql' that should be run in your snowflake cluster# to configure Snowpipe and declare the Panther tables.# For example:# DestinationClusterARNs:# - arn:aws:iam::34318291XXXX:user/k8m1-s-v2st0721 # test snowflake cluster# - arn:aws:iam::34318291XXXX:user/h1h4-s-a2st0111 # production snowflake clusterDestinationClusterARNs:- arn:aws:iam::34318291XXXX:user/k7m2-s-v2st0722
mage deploy snowflake:snowpipe
When the deployment is done there should be a
snowpipe.sql file created in
In the Snowflake SQL shell use the
Load Script option to load
All Queries checkbox, then click on
snowpipe.sql has been successfully executed, you should have three databases:
These are the same database names used in AWS Athena and queries should behave similarly.
Assuming you have data being regularly being processed, there should be data in the tables in a few minutes.
You can quickly test if the data ingestion is working by running simple queries, for example:
SELECT count(1) AS c FROM panther_logs.public.aws_cloudtrail ;