Connect your Snowflake to Hunters

📘Note

Hunters currently supports only AWS as a cloud provider for Snowflake.

Integrating your Snowflake account with Hunters allows you to enjoy ownership over your data, as well as the full experience of Hunters.

44.236.244.86
34.208.97.32
54.73.199.243
54.220.191.11
54.75.50.99
54.212.81.93
34.223.221.217
34.223.186.164
52.35.219.75
52.40.78.172
52.211.30.86
52.214.31.50
18.203.212.46
54.68.155.124
34.223.20.125
54.214.94.117
52.32.222.121
35.83.242.177
18.192.165.147
52.35.55.27
54.72.125.231
54.186.74.45
54.187.196.247
35.162.98.78
54.202.110.6
35.163.166.14
52.39.212.48
34.213.101.49
52.89.191.5

Setting up Hunters with Snowflake Partner Connect

To set up your Snowflake account with Hunters:

1. Login to your Snowflake account.

2. From your dashboard menu, click Admin > Partner Connect.

3. Search for Hunters and click the tile.
   

4. Click Connect to start the connection.

5. Once your account has been created, a pop-up will appear stating the account is ready to be activated; select Activate.

6. You will be redirected to the Hunters portal to complete the registration process on our side.

Finalization

After initial setup, there are a few more things needed to finish the setup process.

1. Hunters will provide you with the following parameter to use:
   

   PARAMETER1 - The password of PC_HUNTERS_WEB_USER

   Our support team will share this secrets with you via a secure channel.
   

2. Using the above two parameters, edit the provided script below.
   

   Use role ACCOUNTADMIN;
   
   Use database PC_HUNTERS_DB;
   -- Set warehouses for Snowflake Standard Edition customers
   -- ALTER WAREHOUSE PC_HUNTERS_WH SET AUTO_SUSPEND=60 AUTO_RESUME=TRUE;
   -- CREATE OR REPLACE WAREHOUSE PC_HUNTERS_INTERACTIVE_WH WITH WAREHOUSE_SIZE = 'MEDIUM' AUTO_SUSPEND = 60 AUTO_RESUME = TRUE;
   
   -- Set warehouses for Snowflake Enterprise Edition customers
   ALTER WAREHOUSE PC_HUNTERS_WH SET AUTO_SUSPEND=60 AUTO_RESUME=TRUE MIN_CLUSTER_COUNT=1 MAX_CLUSTER_COUNT=5 SCALING_POLICY='ECONOMY';
   CREATE OR REPLACE WAREHOUSE PC_HUNTERS_INTERACTIVE_WH WITH WAREHOUSE_SIZE = 'MEDIUM' AUTO_SUSPEND = 60 AUTO_RESUME = TRUE SCALING_POLICY='STANDARD';
   
   -- Set new roles
   CREATE ROLE IF NOT EXISTS PC_HUNTERS_WEB_ROLE;
   CREATE ROLE IF NOT EXISTS SECURITY_ANALYST;
   
   --Create network rules and policy:
   CREATE NETWORK RULE hunters_network
     TYPE = IPV4
     VALUE_LIST = ('54.73.199.243','54.220.191.11','54.75.50.99','54.212.81.93','34.223.221.217','34.223.186.164','52.35.219.75','52.40.78.172','52.211.30.86','52.214.31.50','18.203.212.46','54.68.155.124','34.223.20.125','54.214.94.117','52.32.222.121','35.83.242.177','18.192.165.147','35.162.98.78',
   '54.202.110.6', '35.163.166.14', '52.39.212.48', '34.213.101.49', '52.89.191.5'); 
   CREATE NETWORK RULE third_party_network
     TYPE = IPV4
     VALUE_LIST = ('52.35.55.27','54.72.125.231','54.186.74.45','54.187.196.247');
   CREATE NETWORK POLICY PC_HUNTERS_USER_POLICY ALLOWED_NETWORK_RULE_LIST = ('hunters_network', 'third_party_network');
   
   -- Set users
   ALTER USER PC_HUNTERS_USER SET NETWORK_POLICY = PC_HUNTERS_USER_POLICY;
   CREATE OR REPLACE USER PC_HUNTERS_WEB_USER LOGIN_NAME='PC_HUNTERS_WEB_USER' PASSWORD='{PARAMETER1}' DEFAULT_ROLE='PC_HUNTERS_WEB_ROLE' DEFAULT_WAREHOUSE='PC_HUNTERS_INTERACTIVE_WH' NETWORK_POLICY = PC_HUNTERS_USER_POLICY TYPE=LEGACY_SERVICE;
   GRANT ROLE PC_HUNTERS_WEB_ROLE TO USER PC_HUNTERS_WEB_USER;
   
   -- Grant extra privileges to PC_HUNTERS_ROLE
   GRANT MONITOR ON WAREHOUSE PC_HUNTERS_WH TO ROLE PC_HUNTERS_ROLE;
   GRANT MONITOR ON WAREHOUSE PC_HUNTERS_INTERACTIVE_WH TO ROLE PC_HUNTERS_ROLE;
   GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;
   GRANT EXECUTE TASK ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;
   GRANT MONITOR EXECUTION ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;
   GRANT OWNERSHIP ON USER PC_HUNTERS_USER TO ROLE PC_HUNTERS_ROLE;
   
   -- Grant extra privileges to allow for cost monitoring and optimization
   CREATE ROLE IF NOT EXISTS PC_HUNTERS_USAGE_ROLE;
   GRANT USAGE ON WAREHOUSE PC_HUNTERS_WH TO ROLE PC_HUNTERS_USAGE_ROLE;
   GRANT DATABASE ROLE USAGE_VIEWER TO ROLE PC_HUNTERS_USAGE_ROLE;
   GRANT DATABASE ROLE OBJECT_VIEWER TO ROLE PC_HUNTERS_USAGE_ROLE;
   GRANT DATABASE ROLE GOVERNANCE_VIEWER TO ROLE PC_HUNTERS_USAGE_ROLE;
   GRANT ROLE PC_HUNTERS_USAGE_ROLE TO USER PC_HUNTERS_USER;
   
   -- Grant privileges to PC_HUNTERS_WEB_ROLE
   GRANT USAGE ON WAREHOUSE PC_HUNTERS_INTERACTIVE_WH TO ROLE PC_HUNTERS_WEB_ROLE;
   GRANT USAGE ON WAREHOUSE PC_HUNTERS_INTERACTIVE_WH TO ROLE PC_HUNTERS_ROLE;
   
   -- Grant privileges to SECURITY_ANALYST
   GRANT USAGE ON DATABASE PC_HUNTERS_DB TO ROLE SECURITY_ANALYST;
   GRANT USAGE ON FUTURE SCHEMAS IN DATABASE PC_HUNTERS_DB TO ROLE SECURITY_ANALYST;
   
   -- Grant privileges to SECURITY_ANALYST
   GRANT USAGE ON DATABASE PC_HUNTERS_DB TO ROLE SECURITY_ANALYST;
   GRANT USAGE ON FUTURE SCHEMAS IN DATABASE PC_HUNTERS_DB TO ROLE SECURITY_ANALYST;
   
   -- Grant access to Hunter's query_history and sessions
   CREATE OR REPLACE SECURE VIEW PC_HUNTERS_DB.RAW.snowflake_query_history AS
   SELECT *
   FROM SNOWFLAKE.ACCOUNT_USAGE.query_history
   WHERE DATABASE_NAME = 'PC_HUNTERS_DB';
   GRANT SELECT ON VIEW PC_HUNTERS_DB.RAW.snowflake_query_history TO ROLE PC_HUNTERS_ROLE;
   
   
   CREATE OR REPLACE SECURE VIEW PC_HUNTERS_DB.RAW.snowflake_sessions AS
   SELECT *
   FROM SNOWFLAKE.ACCOUNT_USAGE.sessions
   WHERE user_name = 'PC_HUNTERS_USER';
   GRANT SELECT ON VIEW PC_HUNTERS_DB.RAW.snowflake_sessions TO ROLE PC_HUNTERS_ROLE;

3. Confirm your user has ACCOUNTADMIN privileges in Snowflake.

4. Run the script in your Snowflake SQL interface.

Script summary

Outlined below are all of the actions performed by the script:

• Creates a separate warehouse (PC_HUNTERS_INTERACTIVE_WH) to be used by the Hunters Portal. While the most used warehouse (PC_HUNTERS_WH) is tuned to reduce costs thanks to the economy scaling policy, the interactive warehouse optimizes the response time. PC_HUNTERS_WH is used to run our analytical workload services (detection, investigation). While PC_HUNTERS_INTERACTIVE_WH is used to make ad-hoc queries from the platform to Snowflake (IOC Search and Host Investigation features).

• Creates a user (PC_HUNTERS_WEB_USER) and a role (PC_HUNTERS_WEB_ROLE) and allows it to use the interactive warehouse. This role will have access to PC_HUNTERS_DB as well (no further action is needed from your end).

• Restricts PC_HUNTERS_USER to be able to log in only from this list of specified IP addresses.

• Grants monitor privileges on the Hunters-specific warehouses (both PC_HUNTERS_WH and PC_HUNTERS_INTERACTIVE_WH).

• Grants permission to create a storage integration - this allows Hunters to load data from Hunters' S3 staging bucket using Snowpipe. Snowpipe saves costs since the calculation is per second and not according to normal warehouse's operating time.

• Creates a role SECURITY_ANALYST and grant usage privileges on PC_HUNTERS_DB's schemas to let your security analysts access this Hunters' DB, as described next in the usage section.

• Grants permission to execute tasks to PC_HUNTERS_ROLE. However, executing a task requires also a USAGE permissions on the DB and schema in which the task resides. Hence, the role will not get access to tasks defined under different DBs than PC_HUNTERS_DB.

• Grants extra privileges to allow for cost monitoring and optimization to PC_HUNTERS_USAGE_ROLE.

Using Snowflake

After configuring your first dataflow inside Hunters, two new schemas will be populated in snowflake.

• Raw - Contains raw data tables per data type (integration). Every time a new data type is added, a new table will be created for that data type.

• Investigation - Contains the internal tables of the Hunters investigation engine.

You may use the SECURITY_ANALYST role in order to access and explore your data in PC_HUNTERS_DB.