The Snowflake Create Share detection rule aims to identify the execution of the CREATE SHARE command within the Snowflake platform. This query allows users to define a share object, which can be used to share database resources such as schemas and tables securely between different Snowflake accounts. The specific logic of this rule queries the Snowflake account usage logs to detect any CREATE SHARE commands issued in the last two hours. The rule is particularly relevant for organizations utilizing Snowflake in their data warehousing strategy, as unauthorized creation of shares could potentially lead to sensitive data exposure or breaches. The associated threat actor, identified as UNC5537, indicates that malicious adversaries might exploit such capabilities for data exfiltration or unauthorized access to shared datasets. The underlying logic leverages Snowflake's system function to filter query history for recently executed commands that match the pattern of 'create share%'. Detection of this query is crucial for maintaining strict access controls and governance of data sharing practices.