Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›Perry Correll, Principal Technical Content Manager at Cribl, is passionate about the powe... Read Morer of observability and how, when done right, it can deliver operational insights into network performance. He has 30+ years of networking experience from early Ethernet to today's observability and held positions from SE to product management with leading organizations. Read Less
Only last month, Cribl added Snowflake to its growing list of accessible data stores it can search. Using Cribl Search, admins can now leverage Cribl’s search-in-place capability to query data located in Snowflake’s data warehouse.
Boy, did we have the timing right? Today, Snowflake customers and other incident response teams are still determining the nexus of the incident. Cribl’s focus is providing a simple way to audit your Snowflake internal tables to identify any potential threat activity in your Snowflake accounts.
In Snowflake’s post, they have identified specific source IP addresses of concern and malicious traffic from clients with unique characteristics. Cribl Search allows users to quickly define queries to identify if any of those source addresses and/or client characteristics exist in their accounts. These queries can be done ad hoc or, as Cribl recommends, on a scheduled basis. If a scheduled search detects any identified IOCs, notifications can be automatically generated, alerting administrators, SOC teams, or others about immediate issues.
Cribl Search Notifications allow administrators to send messages in multiple formats, including Email, PagerDuty, Slack, AWS SNS, or even a Webhook, which may be used to automate actions launched by your SIEM. Additionally, depending on the type of notification used, you can customize the priority and subject of message information.
Query your Snowflake account for login history, IP addresses, or suspected clients in easy to follow steps.
Note: For these searches, Snowflake ACCOUNTADMIN privileges are required.
Alternatively, you can create a view that has appropriate privileges using this technique from Snowflake:
First, create a Snowflake Dataset Provider – this tells Cribl Search where to look
Next, create a Snowflake Dataset. This is used to identify what data to search for within your Snowflake account.
snowflake_account_access
for the query below
Snowflake | Account_Usage | login_history
snowflake_sessions
for the query below
Snowflake | Account_Usage | sessions
For each Dataset, provide the name, description, and the Snowflake destination to target. Note that your Snowflake admin will have to provide the name of your Warehouse.
Check out our docs for a full, step-by-step guide configuration for your Snowflake account.
Now, we configure Cribl Search for what to look for based on Snowflake’s instructions.
snowflake_account_access
dataset now points to Snowflake.Account_Usage.login_history
(for IP addresses)snowflake_sessions
dataset now points to Snowflake.account_usage.sessions
(for client)snowflake_account_access
for suspicious IP addresses:
client_ip
that matches the information provided by Snowflake.dataset="snowflake_account_access"
| where CLIENT_IP in
('104.223.91.28',
'198.54.135.99',
'184.147.100.29',
'146.70.117.210',
'198.54.130.153',
<many addresses omitted> ,
‘195.160.223.23’,
'XX.XX.XX.XX') // test bad guy
Note: The Snowflake blog above list identifies ~ 300 IPs; you can paste all in the query or optionally create a separate lookup table with IPs and reference that in the search.
Client _Environment
field for a specific value.dataset="snowflake_sessions"
| extract type=json source=CLIENT_ENVIRONMENT
| where APPLICATION == 'rapeflake'
or
( APPLICATION == 'DBeaver_DBeaverUltimate'
and OS == 'Windows Server 2022' )
// or (APPLICATION == 'xx' and OS == 'yyyy') // smoke test
With any luck, neither query will return results = which means no potential malicious clients.
We dogfooded this in-house first and identified no suspicious IPs or clients. We also set a scheduled search with notifications and dashboards to monitor the accounts. If you want some more information or even have one of our teams provide a guided demo for your environment, then reach out to Cribl at: sales@cribl.io
As the Snowflake incident response analysis develops, Cribl will offer a way to easily and quickly identify any threat activity within your Snowflake account and provide peace of mind. If you are already a Cribl.Cloud customer, you can follow the instructions above and quickly better understand potential threat activity in your network. If you are new to Cribl, create a free account. It only takes 2 minutes, and you can search your Snowflake account in 10 minutes!
Cribl Search is designed to meet the unique requirements of IT and security data. It allows administrators to easily access and explore almost any system, storage type, or API endpoint from a unified interface using a single, intuitive query language.
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?