This detection rule monitors the creation of new users in Snowflake databases, triggering when a successful 'CREATE USER' query is executed. The rule specifically looks for queries logged in the Snowflake Query History that match the criteria for new user creation. When such an event is detected, it categorizes the activity with an informational severity, allowing practitioners to track user provisioning actions within their Snowflake instance. Despite being labeled as information rather than a critical alert, the presence of new user accounts can indicate potential unauthorized access or other security implications if manipulated maliciously. This rule aligns with MITRE ATT&CK's persistence techniques, particularly related to account creation (T1136), making it a useful tool for maintaining oversight of account management in cloud environments.