Integrating your Snowflake account with Hunters allows you to enjoy both worlds - Ownership over your data, as well as the full experience of Hunters SOC. Using this feature through the Snowflake interface allows you to quickly initiate a Hunters trial.

Important: Some organization use Snowflake’s IP whitelisting feature to restrict access to their Snowflake account. If your organization utilizes IP whitelisting, it is required to whitelist Hunters SOC’s IP addresses below In order for Hunters SOC to be able to integrate to your Snowflake instance. This step is mandatory, and skipping it will not allows for a successful Hunters SOC tenant provisioning.

18.192.165.147, 34.223.221.217, 34.223.20.125, 52.32.222.121, 52.35.219.75, 52.40.78.172, 54.68.155.124, 54.212.81.93, 52.35.55.27, 54.72.125.231, 54.214.94.117, 54.73.199.243, 54.220.191.11, 54.75.50.99, 34.223.186.164

Once the IP addresses above have been whitelisted, follow the below steps to get started.

Login

Log in to your Snowflake account

Partner Connect

Click Partner Connect on the top right

Initiate Connection

Select the Hunters tile, followed by Connect

Activation

Once the account has been created, a pop-up will appear that states the account is ready to be activated. Select Activate.

Hunters Portal

Welcome to Hunters Portal! After activation, you will be redirected to Hunters Portal to complete the registration process.

Finalization

In addition to objects created automatically by Snowflake, a few other need to be manually created or altered to finish the process.

  1. Hunters will be providing you with two parameters you should use:

    • PARAMETER1 - RSA public key

    • PARAMETER2 - The password of PC_HUNTERS_WEB_USER

    Those secrets will be shared in a secured channel.

  2. Use the above parameters to edit the below script.

  3. Before you make these changes, please make sure your user has ACCOUNTADMIN privileges in Snowflake.

  4. Run the script in your Snowflake SQL interface.

    Use role ACCOUNTADMIN;

-- Set warehouses for Snowflake Standard Edition customers
-- ALTER WAREHOUSE PC_HUNTERS_WH SET AUTO_SUSPEND=60 AUTO_RESUME=TRUE;
-- CREATE OR REPLACE WAREHOUSE PC_HUNTERS_INTERACTIVE_WH WITH WAREHOUSE_SIZE = 'XSMALL' AUTO_SUSPEND = 60 AUTO_RESUME = TRUE;

-- Set warehouses for Snowflake Enterprise Edition customers
ALTER WAREHOUSE PC_HUNTERS_WH SET AUTO_SUSPEND=60 AUTO_RESUME=TRUE MIN_CLUSTER_COUNT=1 MAX_CLUSTER_COUNT=5 SCALING_POLICY='ECONOMY';
CREATE OR REPLACE WAREHOUSE PC_HUNTERS_INTERACTIVE_WH WITH WAREHOUSE_SIZE = 'XSMALL' AUTO_SUSPEND = 60 AUTO_RESUME = TRUE SCALING_POLICY='STANDARD';

-- Set new roles
CREATE ROLE IF NOT EXISTS PC_HUNTERS_WEB_ROLE;
CREATE ROLE IF NOT EXISTS SECURITY_ANALYST;

-- Set users
ALTER USER PC_HUNTERS_USER SET RSA_PUBLIC_KEY='{PARAMETER1}';
CREATE OR REPLACE USER PC_HUNTERS_WEB_USER LOGIN_NAME='PC_HUNTERS_WEB_USER' PASSWORD='{PARAMETER2}' DEFAULT_ROLE='PC_HUNTERS_WEB_ROLE' DEFAULT_WAREHOUSE='PC_HUNTERS_INTERACTIVE_WH';
GRANT ROLE PC_HUNTERS_WEB_ROLE TO USER PC_HUNTERS_WEB_USER;

-- Grant extra privileges to PC_HUNTERS_ROLE
GRANT MONITOR ON WAREHOUSE PC_HUNTERS_WH TO ROLE PC_HUNTERS_ROLE;
GRANT MONITOR ON WAREHOUSE PC_HUNTERS_INTERACTIVE_WH TO ROLE PC_HUNTERS_ROLE;
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;
GRANT EXECUTE TASK ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;
GRANT MONITOR EXECUTION ON ACCOUNT TO ROLE PC_HUNTERS_ROLE;

-- Grant privileges to PC_HUNTERS_WEB_ROLE
GRANT USAGE ON WAREHOUSE PC_HUNTERS_INTERACTIVE_WH TO ROLE PC_HUNTERS_WEB_ROLE;

-- Grant privileges to SECURITY_ANALYST
GRANT USAGE ON DATABASE PC_HUNTERS_DB TO ROLE SECURITY_ANALYST;
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE PC_HUNTERS_DB TO ROLE SECURITY_ANALYST;
    CODE

Script Breakdown

Outlined below are all of the actions performed by script.

  • Creates a separate warehouse (PC_HUNTERS_INTERACTIVE_WH) to be used by Hunters Portal. While the most used warehouse (PC_HUNTERS_WH) is tuned to reduce costs thanks to the economy scaling policy, the interactive warehouse optimizes the response time.

  • Creates a user (PC_HUNTERS_WEB_USER) and a role (PC_HUNTERS_WEB_ROLE) and allows it to use the interactive warehouse. This role will have access to PC_HUNTERS_DB as well (no further action is needed from your end).

  • Grants monitor privileges on the Hunters-specific warehouses (both PC_HUNTERS_WH and PC_HUNTERS_INTERACTIVE_WH).

  • Grants permission to create a storage integration - this allows Hunters to load data from Hunters' S3 staging bucket using Snowpipe. Snowpipe saves costs since the calculation is per second and not according to normal warehouse's operating time.

  • Creates a role SECURITY_ANALYST and grant usage privileges on PC_HUNTERS_DB's schemas to let your security analysts access this Hunters' DB, as described next in the usage section.

  • Grants permission to execute tasks to PC_HUNTERS_ROLE. However, executing a task requires also a USAGE permissions on the DB and schema in which the task resides. Hence, the role will not get access to tasks defined under different DBs than PC_HUNTERS_DB.

Usage

Once you configure your first dataflow inside Hunters, 2 new schemas will be populated.

  • raw - contains raw data tables per data type. Every time a new data type is added, a new table will be created for that data type.

  • investigation - contains the internal tables of Hunters' investigation engine.

You may use the SECURITY_ANALYST role in order to get access and start exploring your data in PC_HUNTERS_DB.