let r_tbl = dynamic(['table_name']);
Snowflake
| where QueryType =~ 'SELECT'
| where QueryExecutionStatus =~ 'SUCCESS'
| extend tbl = extract(@'(FROM|from)\s(\S+)\s', 2, QueryText)
| where tbl in~ (r_tbl)
| extend AccountCustomEntity = TargetUsername
queryFrequency: 1h
kind: Scheduled
version: 1.0.1
relevantTechniques:
- T1119
triggerOperator: gt
status: Available
requiredDataConnectors:
- connectorId: Snowflake
dataTypes:
- Snowflake
id: f258fa0c-e26c-4e2b-94fb-88b6cef0ca6e
name: Snowflake - Query on sensitive or restricted table
query: |
let r_tbl = dynamic(['table_name']);
Snowflake
| where QueryType =~ 'SELECT'
| where QueryExecutionStatus =~ 'SUCCESS'
| extend tbl = extract(@'(FROM|from)\s(\S+)\s', 2, QueryText)
| where tbl in~ (r_tbl)
| extend AccountCustomEntity = TargetUsername
queryPeriod: 1h
triggerThreshold: 0
description: |
'Detects query on sensitive or restricted table.'
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
severity: Medium
tactics:
- Collection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Analytic Rules/SnowflakeQueryOnSensitiveTable.yaml
