This detection rule identifies potentially malicious GET query operations within Snowflake databases, specifically targeting data staging attempts. The query analyzes the account usage query history to find any GET statements executed in the last two hours, which may be indicative of data being staged for exfiltration. The logic utilizes Snowflake's SQL capabilities to filter queries based on the event time and the presence of a GET command. This behavior is associated with threat actor UNC5537, which has been linked to various data theft and extortion activities involving Snowflake environments. If detected, this could signify a critical security breach that warrants immediate investigation.