Snowflake
| where QueryType =~ 'SHOW'
| where QueryText has_all ('SHOW', 'ROLES')
| extend AccountCustomEntity = TargetUsername
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Analytic Rules/SnowflakePrivilegesDiscovery.yaml
query: |
Snowflake
| where QueryType =~ 'SHOW'
| where QueryText has_all ('SHOW', 'ROLES')
| extend AccountCustomEntity = TargetUsername
version: 1.0.1
tactics:
- Discovery
triggerThreshold: 0
relevantTechniques:
- T1087
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
kind: Scheduled
queryFrequency: 1h
name: Snowflake - Possible privileges discovery activity
description: |
'Detects possible privileges discovery activity.'
queryPeriod: 1h
triggerOperator: gt
id: 627a4ff1-036b-4375-a9f9-288d5e1d7d37
status: Available
severity: Medium
requiredDataConnectors:
- dataTypes:
- Snowflake
connectorId: Snowflake
