Tempo is the first CyberSecurity solution based on a LogLM, or Log Language Model invented by DeepTempo. These models are similar to their more familiar cousins, LLMs such as Anthropic's Claude and LLama. Like LLMs, LogLMs are Foundation Models that apply their understanding across very different environments and in response to differing inputs. However, Tempo was pre-trained using enormous quantities of logs. Tempo is focused on the pattern of events, including relative and absolute time. Tempo has been shown to be extremely accurate, with a low false positive and false negative rate.
This guide will walk you through the process of setting up and using the TEMPO Native App in your Snowflake environment with provided sample data (CIC Dataset).
The data that is provided comes from the Canadian Institute for Cybersecurity. You can see the data set - and an explanation of the attacks discerned by Tempo here
add
next to the on Incident Inference Logs
section. In the popup after clicking the add
button click the +Select Data
button and find the table you want to use on the dropdown. Select it and click Save
.Note: If you are running with the demo data simply skip this step and continue.
Projects>Worksheets
console in Snowflake. Here you should see a +
sign in the top right corner of the screen. We will use this to create our own worksheets. Go ahead and click it now.Select Databases
. This is what you will use to attach our database to this worksheet. If you are using demo data select the option with TEMPO at the beginning of it's name.In the new worksheet we now need to setup our procedures. We will start with initializing the container resources. Throughout this guide we will provide you with statements to run. Please add them to the sheet. You can do these one by one or add them all to a single worksheet.
CALL management.create_resources();
Purpose: Initializes the application by loading required model weights and configurations Required Permissions: Warehouse, compute pool, and task management access
It is recommended that you run this command prior to running the sheet as a whole. It can take some time for the resources to spin up. If you are the account admin you can monitor resources using SHOW COMPUTE POOLS IN ACCOUNT;
. Once the compute pools are idle you may continue with the rest of the worksheet.
CALL static_detection.inference('your_service_name');
Parameters:
your_service_name
: Name of the service to analyze (string). This is set by you and should be unique to each run. Purpose: Executes inference on specified service dataIf you want to use the demo feel free to name it something like demorun
for the your_service_name
.
CALL inspect.deepdive(sequence_id);
Parameters:
sequence_id
: Identifier of the sequence to analyze (integer). This ID can be used down the road if any anomalies are detected to run deeper investigation on suspicious interactions. Purpose: Investigates specific sequences flagged as anomaliesNote: If running on demo data lets use 2 as the id (valid IDs 1-1200)
The results will be collections of related events making up Suspicious and Anomalous activities. These are the events your security team would want verify as actuall intrusion events.
This optional section guides you through setting up Splunk Enterprise to analyze the output from the Snowflake TEMPO project. This step is optional and intended for Splunk users who want a visualization of the output. For this demo we used a trial account on Splunk and we import the results of Tempo as CSV. In a production use case, you will likely use the Snowflake Splunk connector, DBConnect, as explained in the Snowflake documentation [here]: (https://community.snowflake.com/s/article/Integrating-Snowflake-and-Splunk-with-DBConnect)
.tgz
file)anomaly_hub.xml
dashboard filegit clone https://github.com/your-username/splunk-tempo-dashboard-installer.git
cd splunk-tempo-dashboard-installer
vi splunk_tempo_install.sh
chmod +x splunk_tempo_install.sh
sudo ./splunk_tempo_install.sh
http://your_ip:8000
and log in with the credentials you set.anomaly_hub.xml
and paste it into the Source view.Settings
> Advanced Search
> + Add New
search
TempoDataLocation
source="your-filename.csv" host="Your Name" sourcetype="csv"
You should now be able to see the incidents - or anomalies - in your new dashboard. This enables Security Operations teams to click through on the context provided by Tempo. For example, you can see all transactions to and from a specific IP address, or across given ports, as a part of investigating the incidents that have been identified.
Note that as a default, only the incidents are uploaded. Not also transferring and loading the entire dataset of logs simplifies the work of the Security Operator and also can translate into significant cost savings, as Splunk and most security operations solutions tend to charge by data ingested.
Congratulations, you just ran the world's first purpose-built LogLM available as a Snowflake NativeApp. In the weeks to come DeepTempo will launch a range of additional easy-to-use options and extensions as NativeApps, including tooling to simplify the process of using your own data with Tempo and upgrades to the power of Tempo including scale out multi-GPU usage.
To try the app please follow This LinkSnowflake Native Apps