This detection rule aims to monitor alterations to existing network policies within a Snowflake environment by querying the account's query history for any SQL commands that include 'ALTER' followed by 'network policy'. Specifically, it extracts records from the last two hours where such commands have been executed. The rule leverages the `query_history` table from the `snowflake.account_usage` schema, focusing on SQL statements that can modify network policies, marking potential activity associated with persistence, privilege escalation, and defense evasion tactics linked to valid accounts. Administrators can identify unauthorized or anomalous changes to network policies that might indicate attempts to manipulate data flow or access control settings within their Snowflake instances.