This detection rule specifically monitors the execution of the 'MONITOR USAGE' query within Snowflake environments. It aims to identify potential unauthorized monitoring activities that may be linked to threat actor UNC5537, known for exploiting cloud services. The rule leverages the Snowflake query history to track queries executed in the last two hours, specifically filtering for those that begin with 'monitor usage'. This pattern could indicate attempts to extract telemetry data or gain insights into resource usage, which could be a precursor to more damaging activities. The technique identified, T1098 (Account Manipulation), refers to actions taken by adversaries aimed at modifying or exploiting user accounts, highlighting the relevance of monitoring such queries in maintaining security posture. The inclusion of application logs as a data category emphasizes the importance of monitoring cloud application logs to detect anomalies in user behavior or unauthorized actions.