This detection rule monitors Snowflake database activity to identify attempts by users to escalate their privileges to the ACCOUNTADMIN role. It queries the Snowflake account usage's query history for activity within the last two hours, specifically looking for commands that use the 'USE ROLE ACCOUNTADMIN' syntax. If such commands are found, this indicates an attempt to gain elevated permissions, which may represent a valid account misuse in an unauthorized manner. The rule employs a regex pattern to effectively differentiate legitimate usage from potential malicious activities. This is crucial for maintaining security and adhering to the principle of least privilege within Snowflake environments.