Integrating your Snowflake account with Hunters allows you to enjoy both worlds - Data ownership and Hunters XDR. Using this feature through the Snowflake interface allows you to quickly create a Hunters trial.

Setup

Follow the steps to get started:

Step 1 - Log in to your Snowflake account

Step 2 - Select Partner Connect on the top right

Step 3 - Select the Hunters tile, followed by Connect

Step 4 - Activate

Once the account has been created, a pop-up will appear that states the account is ready to be activated. Select Activate.

Step 5 - Welcome to Hunters Portal!

After activation, you will be redirected to Hunters Portal to complete the registration process.

Step 6 - Manual run in Snowflake

In addition to objects created automatically by Snowflake, a few other have to be manually created or altered to finish the process.

  1. Hunters will be providing you with two parameters you should use:

    • PARAMETER1 - RSA public key

    • PARAMETER2 - PC_HUNTERS_WEB_USER’s password

    Those secrets will be shared in a secured channel.

  2. Use the above parameters to edit the below script.

  3. Make sure your user has ACCOUNTADMIN privileges.

  4. Run the script in your Snowflake SQL interface.

    Use role ACCOUNTADMIN;
    
    -- Set warehouses for Snowflake Standard Edition customers
    -- ALTER WAREHOUSE PC_HUNTERS_WH SET AUTO_SUSPEND=60 AUTO_RESUME=TRUE;
    -- CREATE OR REPLACE WAREHOUSE PC_HUNTERS_INTERACTIVE_WH WITH WAREHOUSE_SIZE = 'XSMALL' AUTO_SUSPEND = 60 AUTO_RESUME = TRUE;
    
    -- Set warehouses for Snowflake Enterprise Edition customers
    ALTER WAREHOUSE PC_HUNTERS_WH SET AUTO_SUSPEND=60 AUTO_RESUME=TRUE MIN_CLUSTER_COUNT=1 MAX_CLUSTER_COUNT=5 SCALING_POLICY='ECONOMY';
    CREATE OR REPLACE WAREHOUSE PC_HUNTERS_INTERACTIVE_WH WITH WAREHOUSE_SIZE = 'XSMALL' AUTO_SUSPEND = 60 AUTO_RESUME = TRUE SCALING_POLICY='STANDARD';
    
    -- Set new roles
    CREATE ROLE IF NOT EXISTS PC_HUNTERS_WEB_ROLE;
    CREATE ROLE IF NOT EXISTS SECURITY_ANALYST;
    
    -- Set users
    ALTER USER PC_HUNTERS_USER SET RSA_PUBLIC_KEY='{PARAMETER1}';
    CREATE OR REPLACE USER PC_HUNTERS_WEB_USER LOGIN_NAME='PC_HUNTERS_WEB_USER' PASSWORD='{PARAMETER2}' DEFAULT_ROLE='PC_HUNTERS_WEB_ROLE' DEFAULT_WAREHOUSE='PC_HUNTERS_INTERACTIVE_WH';
    GRANT ROLE PC_HUNTERS_WEB_ROLE TO USER PC_HUNTERS_WEB_USER;
    
    -- Grant extra privileges to PC_HUNTERS_ROLE
    GRANT MONITOR ON WAREHOUSE PC_HUNTERS_WH TO ROLE PC_HUNTERS_ROLE;
    GRANT MONITOR ON WAREHOUSE PC_HUNTERS_INTERACTIVE_WH TO ROLE PC_HUNTERS_ROLE;
    GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;
    GRANT EXECUTE TASK ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;
    GRANT MONITOR EXECUTION ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;
    
    -- Grant privileges to PC_HUNTERS_WEB_ROLE
    GRANT USAGE ON WAREHOUSE PC_HUNTERS_INTERACTIVE_WH TO ROLE PC_HUNTERS_WEB_ROLE;
    
    -- Grant privileges to SECURITY_ANALYST
    GRANT USAGE ON DATABASE PC_HUNTERS_DB TO ROLE SECURITY_ANALYST;
    GRANT USAGE ON FUTURE SCHEMAS IN DATABASE PC_HUNTERS_DB TO ROLE SECURITY_ANALYST;
    
    CODE

The script:

  • Creates a separate warehouse (PC_HUNTERS_INTERACTIVE_WH) to be used by Hunters Portal. While the most used warehouse (PC_HUNTERS_WH) is tuned to reduce costs thanks to the economy scaling policy, the interactive warehouse optimizes the response time.

  • Creates a user (PC_HUNTERS_WEB_USER) and a role (PC_HUNTERS_WEB_ROLE) and allows it to use the interactive warehouse. This role will have access to PC_HUNTERS_DB as well (no further action is needed from your end).

  • Grants monitor privileges on the Hunters-specific warehouses (both PC_HUNTERS_WH and PC_HUNTERS_INTERACTIVE_WH).

  • Grants permission to create a storage integration - this allows Hunters to load data from Hunters' S3 staging bucket using Snowpipe. Snowpipe saves costs since the calculation is per second and not according to normal warehouse's operating time.

  • Creates a role SECURITY_ANALYST and grant usage privileges on PC_HUNTERS_DB's schemas to let your security analysts access this Hunters' DB, as described next in the usage section.

  • Grants permission to execute tasks to PC_HUNTERS_ROLE. However, executing a task requires also a USAGE permissions on the DB and schema in which the task resides. Hence, the role will not get access to tasks defined under different DBs than PC_HUNTERS_DB.

Usage

Once you configure your first dataflow inside Hunters, 2 new schemas will start to be populated:

  • raw - contains raw data tables per data type. Every time a new data type is added, a new table will be created.

  • investigation - contains the internal tables of Hunters investigation engines.

Use the SECURITY_ANALYST role in order to get access and start exploring your data in PC_HUNTERS_DB.