In today's data-driven landscape, organizations are increasingly centralizing their mission-critical information in Snowflake—from financial records and sensitive customer data to valuable AI training sets. As this trend accelerates, protecting these environments has become a top priority for security teams, yet establishing effective security monitoring has been difficult.

Panther's native integration with Snowflake audit logging directly bridges this gap and simplifies what has historically been a complex, manual process. With our integration, security teams can detect suspicious behavior, monitor privileged access, and identify potential data breaches with streaming log analysis.

“With Panther, LaunchDarkly can easily and seamlessly monitor our critical data in Snowflake” - Patrick Kaeding, Lead Engineer at LaunchDarkly

Continue reading to discover the full capabilities of the integration, and join our April 10th webinar to hear firsthand experiences from security teams already leveraging these capabilities.

The Growing Importance of Data Lake Security

Snowflake has become a central component of modern data stacks, serving as the foundation for business intelligence, analytics, and, increasingly, artificial intelligence workloads. Organizations rely on Snowflake to store and process their most sensitive information—customer records, financial data, intellectual property, and the valuable datasets that power AI applications.

The stakes for securing these environments have never been higher. In 2024, the global average cost of a data breach climbed to USD 4.88 million—a 10% increase from the previous year. While the number of data breaches worldwide was down 18% from 2022 to 2023, breaches in the United States tripled, moving from 30.9 million to 96.7 million breaches in the same period.

These escalating threats underscore why robust monitoring for data lakes isn't just good practice—it's business-critical protection against severe financial and reputational damage.

Understanding the Security Gap

Despite Snowflake's rich audit logging capabilities, security teams have faced three primary challenges when attempting to monitor their Snowflake environments:

1. Ingestion Challenges: There has been no simple, ready-to-use method for ingesting and centralizing Snowflake audit logs in security monitoring platforms.

2. Correlation Barriers: Without centralized data, it’s challenging to correlate Snowflake activity with other security telemetry, creating siloed visibility and impeding comprehensive threat detection.

3. Normalization Limitations: Even when audit logs are accessible, they lack normalized fields and enrichment that accelerate detection rule creation and investigation workflows.

Security teams often resort to inefficient workarounds, either combining fragmented data through views and shares, or creating complex SIEM pipelines that can't properly normalize or enrich the data. This fragmented approach makes it difficult to implement consistent detection rules or correlate Snowflake events with other security data.

Panther's Snowflake Integration: Technical Overview

Our Snowflake integration addresses these challenges with a streamlined approach to data lake security monitoring. We're the first in the marketplace to offer security teams direct ingestion from Snowflake, data normalization for correlation across datasets, and streaming analysis for detection.

Watch the following video for a high-level overview, then keep reading for details on the integration, our key capabilities, and use cases.

Direct Ingestion from Snowflake

The integration directly ingests Snowflake's ACCOUNT_USAGE schema with minimal configuration effort. We support key views, including:

• ACCESS_HISTORY: Track who accessed what objects

• LOGIN_HISTORY: Monitor authentication events

• QUERY_HISTORY: Review SQL queries executed against your data

Organizations maintain complete control over which Snowflake views they monitor, balancing security visibility with infrastructure costs through configurable refresh intervals.

Customers may also onboard as many Snowflake accounts as needed for complete coverage.

Normalized Data Model

Panther normalizes and enriches Snowflake data with consistent field mappings and indicators, making writing detection rules across your entire security ecosystem significantly easier. This normalization process transforms raw Snowflake logs into a structured format that enables:

• Faster analyst investigations

• Consistent detection rule creation

• Simplified correlation across data sources

• Enhanced threat-hunting capabilities

Streaming Analysis for Detection

Unlike traditional approaches that process data in batches, Panther enables detection of suspicious activity through streaming analysis. This capability allows security teams to identify threats as they occur, drastically reducing the time between a security event and its detection.

Key Capabilities and Use Cases

Panther's Snowflake integration delivers powerful new capabilities for security teams that enable cross-system event correlation during investigation, programmable detections for context-aware detections, correlation rules for multi-step detection, and unified visibility with custom dashboards.

Correlate Suspicious Activity Across Your Environment

Panther’s pipeline parses, normalizes, and enriches ingested Snowflake data, enabling correlation with other security signals to identify and stop complex data exfiltration attacks.

Security teams can pivot from suspicious Snowflake activity to related events in other systems, allowing for comprehensive investigations.

For example, when Panther detects suspicious login patterns in Snowflake, analysts can immediately discover if the same user or IP address is involved in unusual activities elsewhere in the environment.

The next image shows a PantherFlow query investigating successful Snowflake logins from specific IP addresses over the past day, summarized by client IP, authentication factor, and username.

The power of Panther's correlation capabilities becomes evident when analysts can pivot from the Snowflake findings to examine related activities across other systems, such as AWS CloudTrail.

The next image shows a search for any events with the same suspicious IP address (35.166.231.222), and the discovery of associated AWS CloudTrail events—additional potentially suspicious activities.

This cross-platform visibility is critical for detecting sophisticated attacks that often move laterally across different systems. For instance, an attacker who gains access to Snowflake might also attempt to access AWS resources using the same compromised credentials. Without this correlation capability, these connections would remain hidden from security teams.

With flexible retention options and optimized processing, Panther delivers fast query speeds and a streamlined path to compliance while providing the context security teams need to identify and respond to threats effectively.

Programmable Detections for Snowflake Security

Panther's Python-powered detection framework allows security teams to implement sophisticated detection logic for Snowflake environments. Unlike traditional SIEM platforms that rely on proprietary query languages, Panther's programmable detections enables security teams to leverage the full power of Python to build nuanced, context-aware detections.

Out of the box, Panther includes detection rules designed to identify common Snowflake threat scenarios, including ones that directly address techniques used in recent attacks against Snowflake environments.

Here's an example of a detection rule included with Panther that identifies the creation of temporary stages in Snowflake:

The creation of temporary stages in Snowflake can be a legitimate operation but has also been observed in recent exfiltration techniques documented by Google's Threat Intelligence team.

This rule uses Python's regex capabilities to accurately identify stage creation commands regardless of the specific syntax used, demonstrating the power of Panther's programmable detections.

Advanced Attack Detection with Correlation Rules

While individual detections provide valuable insights, sophisticated attackers often employ multi-step tactics that can go unnoticed when examining isolated events. Panther addresses this challenge with correlation rules that identify patterns of related activities across time, creating higher-fidelity detections for complex Tactics, Techniques, and Procedures (TTPs).

For example, Panther's correlation engine can detect a common data exfiltration pattern that follows this sequence:

1. Create a temporary stage in Snowflake

2. Copy sensitive data into the stage

3. Download files from the stage

While each of these actions might be legitimate in isolation, the sequence of all three performed by the same user within a short timeframe is highly suspicious and warrants immediate investigation.

Here's how Panther implements this correlation pattern using a combination of several atomic detections:

This correlation rule chains together three individual signals—temporary stage creation, data copy operations, and file downloads—and connects them through the shared stage name. The rule only triggers when the complete sequence is detected, dramatically reducing false positives while catching sophisticated exfiltration attempts.

See the full logic for this correlation rule in our out-of-the-box detection for this data exfiltration scenario.

Unified Visibility Through Custom Dashboards

Panther's custom dashboards transform complex telemetry from multiple Snowflake accounts into actionable insights through intuitive visualizations. From a single interface, security teams can monitor login patterns, query activity, privileged user actions, and data transfers across their entire Snowflake estate.

The next image shows a custom dashboard with logins to all Snowflake accounts by user and role access grants.

These dashboards can be tailored to different stakeholder needs—from executive summaries for leadership to detailed technical views for security analysts.

The ability to drill down from high-level metrics to individual events enables rapid investigation when suspicious activities are detected. This unified approach eliminates security blind spots and ensures consistent protection across Snowflake environments, regardless of their location or cloud provider.

Panther's architecture scales with your Snowflake footprint, maintaining performance whether you're monitoring a single account or dozens across your organization.

The platform's approach to data normalization ensures that security teams can write consistent detection rules that work across all Snowflake instances, making it particularly valuable for global organizations, multi-cloud deployments, and environments that change through mergers and acquisitions.

Getting Started

Review our technical documentation to learn how to onboard Snowflake audit logs into Panther. Explore our out-of-the-box detection and correlation rules in our open source ruleset on GitHub.

For a personalized look at how the integration can optimize your security operations, request a demo.

Staying Ahead of Threats

By combining Snowflake's powerful data capabilities with Panther's security expertise, organizations can confidently leverage their data while maintaining the highest levels of security. Our integration ensures your data remains protected, whether detecting anomalous query patterns, monitoring privileged access, or maintaining proper access controls for data scientists and analysts.

Join our April 10 webinar to learn how to defend your mission-critical data and genAI assets with insights from industry leaders at Snowflake, LaunchDarkly, and Panther. Register now!

Take a Tour of the Integration