What Changed
Complete rewrite of Snowflake parser data extraction logic in Snowflake.yaml (533 new lines, 516 removed). The connector now uses extractjson() functions against JSON field names instead of array index-based extraction from todynamic() results.
Security Impact (Visibility & Fidelity)
Deployments using the previous version experienced complete data fidelity loss — all Snowflake log fields returned null values due to malformed SQL array parsing. This created a comprehensive blind spot across:
- Authentication events (login failures, privilege escalation)
- Data access patterns (query logs, table access)
- User and role management activities
- Database schema changes and table operations
The fix restores proper field mapping for all 10 Snowflake log types, enabling detection of insider threats, unauthorized access, and data exfiltration attempts.
Parser Impact
All Snowflake log views now extract fields using JSON property names rather than positional array access:
- Authentication: extractjson("$.USER_NAME") vs DataList[3]
- Query logs: extractjson("$.QUERY_TEXT") vs DataList[4]
- User management: extractjson("$.GRANTEE_NAME") vs DataList[4]
This change ensures parser resilience against Snowflake API schema modifications and eliminates field misalignment issues.
Affected Files
Solutions/Snowflake/Parsers/Snowflake.yaml
Solutions/Snowflake/Data Connectors/SnowflakeLogs_ccp/ (13 connector configs)
(packaging artefacts: mainTemplate.json, Solution_Snowflake.json, 3.0.6.zip)