This article explains connecting Snowflake to Workbench.

Caution

When the system runs queries and receives data, it consumes CU (compute units). The system also consumes CU for periodic event polling.

CU have a monetary value assigned to them. The number of CU that are consumed depends on your organization's size and user activity. The cost can get high for a robust environment. To control the cost of consuming CU, you can set the warehouse to auto-suspend after 1 minute of inactivity. We can also reduce our polling frequency, which can reduce consumed CU.

Before you start

Step 1: Enable console access

Step 2: Configure the technology in Workbench

Viewing security device details

Make sure you have the following available to you:

  • An account with sufficient permissions to perform the tasks detailed in this article. This guide was tested using the default ACCOUNTADMIN role.

  • The ability to run SQL queries.

  • Access to the openssl command line tool.

Step 1: Enable console access

Note

Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Log in to the Snowflake console and navigate to Admin > Warehouses. Create a new warehouse and name it Expel_warehouse. Click Create Warehouse.

  2. Navigate to Admin > Users&Roles > Roles and create a new role named EXPELROLE. Click Create Role.

  3. In SnowSQL CLI, grant the SECURITY_VIEWER role the EXPELROLE with the following command:

    GRANT DATABASE ROLE SNOWFLAKE.SECURITY_VIEWER TO ROLE EXPELROLE

    This command allows Expel to retrieve events from the following views:

    • SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY

    • SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES

    • SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS

  4. Navigate to Admin > Users&Roles > Users and create a new user named EXPEL_INTEGRATION. Set the Default Role to EXPELROLE and the Default Warehouse to EXPEL_WAREHOUSE.

  5. Click Save User.

  6. In the openSSL command line, generate an encrypted RSA private key. You’re prompted to type a passphrase.

    $ openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8

    Tip

    Write down the passphrase because you need it later in this article.

  7. Generate the corresponding public key using the following command:

    $ openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

  8. In Snowflake, use the following SQL statement to attach the public key from the previous step to the Expel user.

    ALTER USER EXPEL_INTEGRATION SET RSA_PUBLIC_KEY='MIIBI...';

    See the Snowflake documentation for more information.

  9. Navigate to Admin > Warehouses and transfer the ownership of EXPEL_WAREHOUSE to the EXPELROLE.

  10. Determine the account identifier. It usually has the following format: orgname-account_name. It's typically in the URL you use to log in.

    Detailed instructions can be found here.

Step 2: Configure the technology in Workbench

  1. Log into https://workbench.expel.io/settings/security-devices?setupIntegration=snowflake. The Add Security Device screen for Snowflake appears.

    Snowflake_AddSecDev.png
  2. Fill out the fields like this:

    • Name: Expel.

    • Location: the location of your server.

    • Username: EXPEL_INTEGRATION.

    • Account: the org name from the account identifier (URL).

    • Private key: the generated private key.

    • Passphrase: the passphrase you used while generating the key.

    • Warehouse name: EXPEL_WAREHOUSE.

  3. Your device is now connected. To check device health, follow the Viewing security device details instructions below.

Viewing security device details

After your devices are connected to Workbench, you can view details about them. To open the device details, click Organization Settings > Security Devices. Locate the device you want more details for. Click the arrow next to the name and click View details.

WB_View_Details_list_2.png

The side panel that appears looks like this:

WB_side_panel_2.png

The side panel contains the following sections:

  • Device Health: you see an Alerts Analysis dashboard snapshot for the selected device along with the device’s health status, connection, data, and alerts data. This at-a-glance information let's you stay on top of the device and what it's doing.

  • Information: you see general device data, including the device name, location, GUID, and so on. These are the data points associated with creating or editing a device.

  • History: you see the history of changes in health status or edits made by a Workbench user. You know what changed, who made the change, and when.

In these sections you can click buttons to copy information or go directly to other areas in Workbench. Additionally, we include tool tips to help you understand what you're seeing.

In the side panel, you can edit the selected device by clicking Edit Device. You can also navigate to the previous or next device in the list by clicking the arrows.

WB_edit_device_2.png

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!