This article explains connecting Snowflake to Workbench.


When the system runs queries and receives data, it consumes CU (compute units) which have a monetary value assigned to them. The cost can get high for a robust environment.

Before you start

Step 1: Enable console access

Step 2: Configure the technology in Workbench

Viewing security device details

Make sure you have the following available to you:

  • An account with sufficient permissions to perform the tasks detailed in this article. This guide was tested using the default ACCOUNTADMIN role.

  • The ability to run SQL queries.

  • Access to the openssl and base64 command line tools.

Step 1: Enable console access


Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Log in to the Snowflake console and navigate to Admin > Warehouses. Create a new warehouse and name it Expel_warehouse. Click Create Warehouse.

  2. Navigate to Admin > Users&Roles > Roles and create a new role named EXPELROLE. Click Create Role.

  3. In SnowSQL CLI, grant the SECURITY_VIEWER role the the EXPELROLE with the following command:


    This command allows Expel to retrieve events from the following views:




  4. Navigate to Admin > Users&Roles > Users and create a new user named EXPEL_INTEGRATION. Set the Default Role to EXPELROLE and the Default Warehouse to EXPEL_WAREHOUSE.

  5. Click Save User.

  6. In the openSSL command line, generate an encrypted RSA private key. You’re prompted to type a passphrase.

    $ openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8


    Write down the passphrase because you need it later in this article.

  7. Generate the corresponding public key using the following command:

    $ openssl rsa -in rsa_key.p8 -pubout -out

  8. In Snowflake, use the following SQL statement to attach the public key from the previous step to the Expel user.


    See the Snowflake documentation for more information.

  9. Navigate to Admin > Warehouses and transfer the ownership of EXPEL_WAREHOUSE to the EXPELROLE.

  10. Determine the account identifier. It usually has the following format: orgname-account_name. It's typically in the URL you use to log in.

    Detailed instructions can be found here.

  11. Encode the private key using the following command:

    cat rsa_key.p8 | base64 > encoded_private_key.txt

Step 2: Configure the technology in Workbench

  1. Log into The Add Security Device screen for Snowflake appears.

  2. Fill out the fields like this:

    • Name: Expel.

    • Location: the location of your server.

    • Username: EXPEL_INTEGRATION.

    • Account: the account identifier (URL).

    • Private key: the encoded private key.

    • Passphrase: the passphrase you used while generating the key.

    • Warehouse name: EXPEL_WAREHOUSE.

  3. Your device is now connected. To check device health, follow the Viewing security device details instructions below.

Viewing security device details

After your devices are connected to Workbench, you can view details about them. To open the device details, click Organization Settings > Security Devices. Locate the device you want more details for. Click the arrow next to the name and click View details.


The side panel that appears looks like this:


The side panel contains the following sections:

  • Device Health: you see an Alerts Analysis dashboard snapshot for the selected device along with the device’s health status, connection, data, and alerts data. This at-a-glance information let's you stay on top of the device and what it's doing.


    If you have a AWS CloudTrail device, you also see a Last data received time stamp that shows you when we last polled for log data. You also see a Last successful poll time stamp. These help you know if your AWS CloudTrail device is communicating with Workbench, even if alerts aren't being generated. We're working on deploying the last data received capability to other devices.

    If you have a AWS CloudTrail, you also see View Inaccessible Accounts. Clicking this button shows you the AWS accounts that are inaccessible to Workbench. This can highlight gaps in service delivery for AWS CloudTrail. To provide access, login to your AWS environment associated with the device and grant permission.

  • Information: you see general device data, including the device name, location, GUID, and so on. These are the data points associated with creating or editing a device.

  • History: you see the history of changes in health status or edits made by a Workbench user. You know what changed, who made the change, and when.

In these sections you can click buttons to copy information or go directly to other areas in Workbench. Additionally, we include tool tips to help you understand what you're seeing.

In the side panel, you can edit the selected device by clicking Edit Device. You can also navigate to the previous or next device in the list by clicking the arrows.



This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!