Merge pull request #70 from Snowflake-Labs/GSE-2738-add-new-columns

GSE-2738: Add ENTITIES AND TAGS column to non-ECS SnowAlert
Snowflake-Labs · Jul 28, 2023 · b04c209 · b04c209
2 parents cc05344 + 53e51df
commit b04c209
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 1 deletion.
diff --git a/functions.tf b/functions.tf
@@ -340,7 +340,7 @@ depends_on = [
 }
 
 resource "snowflake_function" "convert_time_period_to_seconds" {
-  provider = snowflake.security_alerting_role
+  provider = snowflake.alerting_role
 
   database = local.snowalert_database_name
   schema   = local.data_schema

diff --git a/procedures_js/alert_queries_runner.js b/procedures_js/alert_queries_runner.js
@@ -62,6 +62,8 @@ SELECT '$${RUN_ID}' run_id
       'EVENT_TIME', IFNULL(EVENT_TIME::VARIANT, PARSE_JSON('null')),
       'ALERT_TIME', IFNULL(ALERT_TIME::VARIANT, PARSE_JSON('null')),
       'DESCRIPTION', IFNULL(DESCRIPTION::VARIANT, PARSE_JSON('null')),
+      'ENTITIES', $${defaultNullReference('ENTITIES::VARIANT')},
+      'TAGS', $${defaultNullReference('TAGS::VARIANT')},
       'DETECTOR', IFNULL(DETECTOR::VARIANT, PARSE_JSON('null')),
       'EVENT_DATA', IFNULL(EVENT_DATA::VARIANT, PARSE_JSON('null')),
       'SEVERITY', IFNULL(SEVERITY::VARIANT, PARSE_JSON('null')),

diff --git a/views_sql/alerts.sql b/views_sql/alerts.sql
@@ -15,6 +15,8 @@ SELECT alert['ALERT_ID']::VARCHAR AS id
     , alert['ACTION']::VARCHAR       AS action
     , alert['TITLE']::VARCHAR        AS title
     , alert['DESCRIPTION']::VARCHAR  AS description
+    , alert['ENTITIES']::VARIANT     AS entities
+    , alert['TAGS']::VARIANT         AS tags
     , alert['DETECTOR']::VARCHAR     AS detector
     , alert['EVENT_DATA']::VARIANT   AS event_data
     , alert['SEVERITY']::VARCHAR     AS severity