How can I onboard Snowflake audit logs from other Snowflake accounts into Panther?

QUESTION

How can I onboard audit logs from Snowflake accounts other than my Panther data lake account into Panther?

ANSWER

Snowflake does not emit their audit logs, therefore you cannot ingest them into Panther like a regular log source. The workaround method involves using Scheduled Queries. However, there are some limitations to this method:

• It is not possible to backfill these logs, so you won’t be able to perform analysis on historical logs.

• Additionally, you cannot use any of the objects in snowflake.account_usage in a data share, so you cannot simply connect those accounts to Panther’s Snowflake and perform queries that way.