What Changed
Snowflake solution version 3.0.5 updates the parser to version 1.0.1, correcting EventStartTime field mapping and removing commented-out code that was causing data fidelity issues.
Data Fidelity Risk (Pre-Fix)
The parser contained a commented-out EventStartTime mapping that prevented proper temporal field normalization. This resulted in missing EventStartTime values in the normalized Snowflake events, impacting time-based analysis and correlation capabilities.
Parser Corrections
- EventStartTime mapping restored: The parser now properly maps EventStartTime using column_ifexists at the final project stage
- Code cleanup: Removed the commented-out EventStartTime mapping that was causing confusion
- Field consolidation: Improved coalescing of database and table name fields for better normalization
Security Impact (Visibility & Fidelity)
Organizations using Snowflake data for security monitoring will now have proper temporal context for events. Previously, queries relying on EventStartTime for timeline analysis or temporal correlation would return null values, creating gaps in security investigations and compliance reporting.
Affected Files
Solutions/Snowflake/Parsers/Snowflake.yaml (packaging artefacts: mainTemplate.json, createUiDefinition.json, ReleaseNotes.md)