This detection rule is designed to monitor the execution of the 'MANAGE GRANTS' command in Snowflake, which allows an individual to impersonate the owner of a securable object to grant or revoke privileges. The rule captures queries related to this privilege by querying the Snowflake account's usage query history for events that occurred within the last two hours. It specifically identifies queries that include text starting with 'manage grants', using a case-insensitive match. The rule is associated with threat actor group UNC5537, recognized for their use of a malicious script known as 'rapeflake'. This capability is significant for detecting potential misuse or unauthorized privilege escalation in Snowflake environments, thereby enhancing security posture against account manipulation activities associated with this technique (T1098). In summary, this rule is crucial for identifying suspicious privilege grant activities that may lead to malicious account manipulations.