Azure · v-atulyadav · Aug 31, 2023 · Aug 31, 2023 · Aug 31, 2023 · Aug 31, 2023
@@ -1,6 +1,6 @@
 {
     "id": "SnowflakeDataConnector",
-    "title": "Snowflake (using Azure Function)",
+    "title": "Snowflake",
     "publisher": "Snowflake",
     "descriptionMarkdown": "The Snowflake data connector provides the capability to ingest Snowflake [login logs](https://docs.snowflake.com/en/sql-reference/account-usage/login_history.html) and [query logs](https://docs.snowflake.com/en/sql-reference/account-usage/query_history.html) into Microsoft Sentinel using the Snowflake Python Connector. Refer to [Snowflake  documentation](https://docs.snowflake.com/en/user-guide/python-connector.html) for more information.",
     "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**Snowflake**](https://aka.ms/sentinel-SnowflakeDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
@@ -110,21 +110,42 @@
                 }
             ]
         },
+	{
+		"instructions": [
+	{	
+		"parameters":{	
+		 "instructionSteps": [
         {
             "title": "Option 1 - Azure Resource Manager (ARM) Template",
             "description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SnowflakeDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Snowflake Account Identifier**, **Snowflake User**, **Snowflake Password**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy."
         },
         {
             "title": "Option 2 - Manual Deployment of Azure Functions",
-            "description": "Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code)."
-        },
+            "description": "Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).",
+			"instructions": [ 
+                {
+                    "parameters": {
+
+                        "instructionSteps": [
         {
-            "title": "",
-            "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SnowflakeDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. Snowflake12).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+            "title": "Step 1 - Deploy a Function App",
+            "description": "1. Download the [Azure Function App](https://aka.ms/sentinel-SnowflakeDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it."
         },
-        {
-            "title": "",
-            "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSNOWFLAKE_ACCOUNT\n\t\tSNOWFLAKE_USER\n\t\tSNOWFLAKE_PASSWORD\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**."
+		{
+            "title": "Step 2 - Configure the Function App",
+            "description": "1. Go to Azure Portal for the Function App configuration. \n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSNOWFLAKE_ACCOUNT\n\t\tSNOWFLAKE_USER\n\t\tSNOWFLAKE_PASSWORD\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**."
         }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+		}
+    ]
+},
+		"type": "InstructionStepsGroup"
+	}
+	]
+	}
     ]
 }
@@ -31,14 +31,14 @@
 	"Hunting Queries/SnowflakeUserSources.yaml"
   ],
   "Parsers" : [
-	"Parsers/Snowflake.txt"
+	"Parsers/Snowflake.yaml"
   ],
   "Workbooks" : [
 	"Workbooks/Snowflake.json"
    ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Snowflake",
-  "Version": "2.0.0",
+  "Version": "3.0.0",
   "TemplateSpec": true,
   "Is1PConnector": false
 }
@@ -0,0 +1,33 @@
+{
+  "Name": "Snowflake",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
+  "Description": "The Snowflake solution provides the capability to ingest Snowflake [login logs](https://docs.snowflake.com/en/sql-reference/account-usage/login_history.html) and [query logs](https://docs.snowflake.com/en/sql-reference/account-usage/query_history.html) into Microsoft Sentinel using the Snowflake Python Connector. Refer to [Snowflake documentation](https://docs.snowflake.com/en/user-guide/python-connector.html) for more information.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n\n  b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n",
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Snowflake",
+  "Version": "3.0.0",
+  "TemplateSpec": true,
+  "Is1PConnector": false,
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-snowflake",
+  "providers": [
+    "Snowflake"
+  ],
+  "categories": {
+    "domains": [
+      "Application"
+    ]
+  },
+  "firstPublishDate": "2021-10-23",
+  "support": {
+    "name": "Microsoft Corporation",
+    "email": "support@microsoft.com",
+    "tier": "Microsoft",
+    "link": "https://support.microsoft.com"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/Snowflake_API_FunctionApp.json\"\n]",
+  "Parsers": "[\n  \"Snowflake.txt\"\n]",
+  "Workbooks": "[\n  \"Workbooks/Snowflake.json\"\n]",
+  "Analytic Rules": "[\n  \"SnowflakeDiscoveryActivity.yaml\",\n  \"SnowflakeLongQueryProcessTime.yaml\",\n  \"SnowflakeMultipleFailedQueries.yaml\",\n  \"SnowflakeMultipleLoginFailure.yaml\",\n  \"SnowflakeMultipleLoginFailureFromIP.yaml\",\n  \"SnowflakePossibleDataDestruction.yaml\",\n  \"SnowflakePrivilegesDiscovery.yaml\",\n  \"SnowflakeQueryOnSensitiveTable.yaml\",\n  \"SnowflakeUnusualQuery.yaml\",\n  \"SnowflakeUserAddAdminPrivileges.yaml\"\n]",
+  "Hunting Queries": "[\n  \"SnowflakeAdminSources.yaml\",\n  \"SnowflakeDeletedDatabases.yaml\",\n  \"SnowflakeDeletedTables.yaml\",\n  \"SnowflakeDormantUser.yaml\",\n  \"SnowflakeFailedLogins.yaml\",\n  \"SnowflakeHighCreditConsumingQueries.yaml\",\n  \"SnowflakeTimeConsumingQueries.yaml\",\n  \"SnowflakeUnknownQueryType.yaml\",\n  \"SnowflakeUnusedAdmins.yaml\",\n  \"SnowflakeUserSources.yaml\"\n]"
+}
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Snowflake solution provides the capability to ingest Snowflake [login logs](https://docs.snowflake.com/en/sql-reference/account-usage/login_history.html) and [query logs](https://docs.snowflake.com/en/sql-reference/account-usage/query_history.html) into Microsoft Sentinel using the Snowflake Python Connector. Refer to [Snowflake documentation](https://docs.snowflake.com/en/user-guide/python-connector.html) for more information.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n\n  b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Snowflake/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Snowflake solution provides the capability to ingest Snowflake [login logs](https://docs.snowflake.com/en/sql-reference/account-usage/login_history.html) and [query logs](https://docs.snowflake.com/en/sql-reference/account-usage/query_history.html) into Microsoft Sentinel using the Snowflake Python Connector. Refer to [Snowflake documentation](https://docs.snowflake.com/en/user-guide/python-connector.html) for more information.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n\n  b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -107,6 +107,20 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
               }
             }
+          },
+          {
+            "name": "workbook1",
+            "type": "Microsoft.Common.Section",
+            "label": "Snowflake",
+            "elements": [
+              {
+                "name": "workbook1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Sets the time name for analysis"
+                }
+              }
+            ]
           }
         ]
       },
@@ -309,7 +323,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for privileged users' source IP addresses. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for privileged users' source IP addresses. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -323,7 +337,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for deleted databases. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for deleted databases. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -337,7 +351,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for deleted tables. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for deleted tables. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -351,7 +365,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for rarely used accounts. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for rarely used accounts. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -365,7 +379,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for failed logins. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for failed logins. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -379,7 +393,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for queries which consume abnormal amount of credits. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for queries which consume abnormal amount of credits. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -393,7 +407,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for time consuming queries. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for time consuming queries. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -407,7 +421,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for queries of type UNKNOWN. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for queries of type UNKNOWN. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -421,7 +435,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for rarely used privileged users. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for rarely used privileged users. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]
@@ -435,7 +449,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for users' source IP addresses. It depends on the Snowflake data connector and Snowflake data type and Snowflake parser."
+                  "text": "Query searches for users' source IP addresses. This hunting query depends on Snowflake data connector (Snowflake Parser or Table)"
                 }
               }
             ]