This detection rule aims to identify the creation of network policies within a Snowflake data platform environment. Specifically, it queries the `snowflake.account_usage.query_history` to check for events that occurred in the last two hours, focusing on queries that include both 'create' and 'network policy' phrases in their SQL statements. The underlying logic uses SQL syntax tailored for Snowflake, leveraging date functions to filter the query history based on recent activity. This type of monitoring is essential for spotting potential unauthorized changes to network configurations, which might indicate attempts to manipulate access controls or persist malicious changes. Such persistence techniques fall under MITRE ATT&CK technique T1098, which encompasses account manipulation and unauthorized modifications intended to maintain access.