Skip to main content

S3 Data Export vs. Snowflake Data Share

Lacework supports two export mechanisms—data share via Snowflake and data export via Amazon S3. Both tools are used to export Lacework-processed data to either report/visualize alone or combine with other data to gain insights and make meaningful business decisions. These tools offer long-term data retention and encompass all of Lacework’s data—including alerts, DNS lookups, IP connections, process attributions, etc. The table below compares the two mechanisms to help you determine which best suits your needs.

CategoryS3 Data ExportSnowflake Data Share
User requirements
  • Must have AWS account
  • Must have S3 to host data (we do not provide this)
  • Must have access to an admin role with the ability to run cloud formation or Terraform as an admin
  • Must be Snowflake customer
  • Currently available to Snowflake AWS US-West (AWS us-west-2), AWS EU-central (AWS eu-central-1), and AWS AP-southeast (AWS ap-southeast-2) warehouses
Purpose/use case
  • Provides a flexible way to export additional Lacework data to your preferred destination.
  • This data can be easily moved between availability zones to support global replication.
  • Overall, this feature can be used to export additional data that is not returned by Lacework’s API.
If you’re an existing Snowflake customer, you have the option to use the data share to house all of your data in one central place. This additional data can be used to provide insights into what’s happening in your environment in relation to other activities.
Available data
  • 23 of the available 24 Lacework data share tables currently export into S3 data export integrations. The CLOUD_RESOURCES_V table is not available with S3 data export.
  • This data is updated hourly and is not retroactively updated.
  • All 24 Lacework data share tables currently export into Snowflake.
  • This data is available in real time—whenever we update our table views, a customer's table views are automatically updated. This is true retroactively as well.
Advantages
  • You can access your data up to the 90-day retention period; beyond a 90-day period, a customer will need to use their own form of storage.
  • S3 is a great choice for a customer who needs to get larger data sets (than what our API offers) outside SIEMs, dashboarding/analytics, or SOAR tools.
  • Enables existing Snowflake customers to leverage their existing investment. Existing Snowflake customers can combine all of their Lacework data into existing databases and better analyze their data.
  • Using some existing Snowflake technology, customers can retain data at an extremely low cost (for years).
  • Customers also have the advantages of retroactive and real-time updates of our data share views.
  • Snowflake is a data warehouse.
Update frequencyEvery hour automaticallyEvery hour automatically

We display multiple views that can be shared via Snowflake data share or S3 data export. Each view reflects a table of data in particular areas of the product. In some cases, you may need to merge these views to answer your specific data question.

Last updated on