
Summary
This detection rule monitors for file downloads from a Snowflake stage, specifically capturing events where sensitive data may be extracted. The rule leverages the Snowflake.QueryHistory log type, specifically focusing on the GET_FILES query type to detect when files are downloaded. It is configured to identify instances where files with certain metadata or that fall under potentially sensitive categories are accessed. The severity level is set to Info, with reports indicating mapping to the MITRE ATT&CK framework, highlighting the potential for data exfiltration tactics. This rule is particularly significant for organizations leveraging Snowflake for data storage and analysis, as it helps maintain oversight and security around their data assets, particularly in contexts where there could be malicious intent to extract information. As of the current configuration, alerts are not generated at the occurrence of a file download, but the log captures necessary data for auditing and review.
Categories
- Cloud
- Application
Data Sources
- User Account
- Application Log
- Logon Session
ATT&CK Techniques
- T1041
Created: 2024-11-04