let r_tbl = dynamic(['table_name']);
Snowflake
| where QueryType =~ 'SELECT'
| where QueryExecutionStatus =~ 'SUCCESS'
| extend tbl = extract(@'(FROM|from)\s(\S+)\s', 2, QueryText)
| where tbl in~ (r_tbl)
| extend AccountCustomEntity = TargetUsername
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Analytic Rules/SnowflakeQueryOnSensitiveTable.yaml
queryPeriod: 1h
description: |
'Detects query on sensitive or restricted table.'
triggerThreshold: 0
name: Snowflake - Query on sensitive or restricted table
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
kind: Scheduled
requiredDataConnectors:
- connectorId: Snowflake
dataTypes:
- Snowflake
queryFrequency: 1h
tactics:
- Collection
id: f258fa0c-e26c-4e2b-94fb-88b6cef0ca6e
status: Available
version: 1.0.1
query: |
let r_tbl = dynamic(['table_name']);
Snowflake
| where QueryType =~ 'SELECT'
| where QueryExecutionStatus =~ 'SUCCESS'
| extend tbl = extract(@'(FROM|from)\s(\S+)\s', 2, QueryText)
| where tbl in~ (r_tbl)
| extend AccountCustomEntity = TargetUsername
severity: Medium
relevantTechniques:
- T1119
