What Changed
Snowflake connector polling configuration updated to introduce 120-minute queryWindowDelayInMin and parser KQL logic corrected for timestamp field handling.
Security Impact (Visibility & Fidelity)
The Snowflake connector had a data fidelity gap where recent events were not being ingested due to API latency. The parser also had incorrect timestamp field handling that affected temporal correlation of security events:
- Data gap: Events from the past 2 hours were not being collected due to Snowflake API latency in surfacing recent data
- Parser fidelity: Start/end timestamp fields were incorrectly parsed, affecting timeline analysis and incident correlation
Deployments running prior versions experienced incomplete visibility into recent Snowflake authentication, query execution, and administrative activities.
Parser Impact
Parser updated from version 1.0.3 to 1.0.4 with corrected timestamp field mapping and improved timezone handling. No change to normalised field names or filter logic — safe for existing detections using this parser.
Affected Files
Solutions/Snowflake/Data Connectors/SnowflakeLogs_ccp/SnowflakeLogs_PollingConfig.json
Solutions/Snowflake/Parsers/Snowflake.yaml
(packaging artefacts: mainTemplate.json, Solution_Snowflake.json, ReleaseNotes.md)