let r_tbl = dynamic(['table_name']);
Snowflake
| where QueryType =~ 'SELECT'
| where QueryExecutionStatus =~ 'SUCCESS'
| extend tbl = extract(@'(FROM|from)\s(\S+)\s', 2, QueryText)
| where tbl in~ (r_tbl)
| extend AccountCustomEntity = TargetUsername
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
triggerThreshold: 0
queryPeriod: 1h
relevantTechniques:
- T1119
query: |
let r_tbl = dynamic(['table_name']);
Snowflake
| where QueryType =~ 'SELECT'
| where QueryExecutionStatus =~ 'SUCCESS'
| extend tbl = extract(@'(FROM|from)\s(\S+)\s', 2, QueryText)
| where tbl in~ (r_tbl)
| extend AccountCustomEntity = TargetUsername
triggerOperator: gt
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Analytic Rules/SnowflakeQueryOnSensitiveTable.yaml
id: f258fa0c-e26c-4e2b-94fb-88b6cef0ca6e
version: 1.0.1
name: Snowflake - Query on sensitive or restricted table
requiredDataConnectors:
- connectorId: Snowflake
dataTypes:
- Snowflake
tactics:
- Collection
status: Available
description: |
'Detects query on sensitive or restricted table.'
severity: Medium
queryFrequency: 1h
