Skip to main content

How Event Streaming Works

SlashID continuously monitors your Snowflake environment to detect security threats and suspicious activities in real-time. Here's how the event streaming system works:

Data Collection

SlashID polls Snowflake's ACCOUNT_USAGE schema at regular intervals to collect activity logs. The system fetches four types of events:

  1. Login History - Tracks all authentication attempts, including successful and failed logins
  2. Access History - Records data access patterns, including queries and which objects were accessed
  3. Sessions - Monitors active and historical user sessions
  4. Credentials - Tracks credential lifecycle events, including creation and modification of authentication keys

Incremental Polling

The event streaming system uses an incremental polling approach:

  • First Sync: On the initial connection, SlashID fetches the last 24 hours of activity logs
  • Subsequent Syncs: Each sync fetches only new events since the last poll, using timestamp-based filtering
  • Time Zones: All timestamps are normalized to UTC to ensure consistency

Event Processing

Each event collected from Snowflake is:

  1. Wrapped with metadata identifying its log type (e.g., LOGIN_HISTORY, ACCESS_HISTORY)
  2. Converted to a standardized JSON format
  3. Sent through SlashID's detection engine to identify security risks
  4. Stored for historical analysis and correlation

Warehouse Requirements

Event polling requires an active Snowflake warehouse to execute queries against the ACCOUNT_USAGE schema. This is why Step 3 in the setup requires assigning a default warehouse to the service account. The warehouse is used only for reading data and does not incur significant costs.

Detection Capabilities

By analyzing the streaming events, SlashID can detect:

  • Suspicious login patterns (e.g., impossible travel, unusual login times)
  • Privilege escalation attempts
  • Unauthorized data access
  • Credential compromise indicators
  • Anomalous query patterns
  • Session hijacking attempts

Data Latency

Snowflake's ACCOUNT_USAGE views have a latency of 45 minutes to 3 hours depending on the specific view. This means there may be a delay between when an activity occurs in your Snowflake account and when it appears in the SlashID dashboard. This is a Snowflake platform limitation, not a SlashID limitation.