Snowflake Enrichment

Integration Overview

Panther's Snowflake enrichment capability lets you pull state data directly from your Snowflake ACCOUNT_USAGE schema — including users, roles, role grants, stages, and network policies — and use it to enrich incoming log events across any log source in Panther. Unlike Snowflake audit logs, which capture time-series security events, enrichment tables capture the current state of your Snowflake environment, giving detections the context they need to identify anomalous behavior. Snowflake enrichment is configured as an add-on to your Snowflake Audit log source and refreshes on the same interval.

Use Cases

Panther's Snowflake enrichment integration helps security teams:

• Enrich incoming log events with Snowflake user and role context to detect privilege escalation or unauthorized access

• Reference current network policies and role grants in detection logic to flag activity that deviates from expected access patterns

• Correlate Snowflake identity state data with events across any log source for richer, more accurate detections

How it Works

Once enabled, Snowflake enrichment runs automatically against incoming log events across all log sources in your Panther environment. When a match is found between an event and a Snowflake enrichment table entry, the enrichment data is appended under the p_enrichment field and is immediately available in detection logic and searches. Enrichment data refreshes on the same cadence as your Snowflake Audit log source, with a minimum refresh period of 60 minutes.

Snowflake enrichment requires an active Snowflake Audit log source in Panther and cannot be configured independently.

You can check out our product documentation for more information.