Snowflake Stream Password Spray is an experimental detection rule that identifies password spraying against Snowflake by counting how many distinct user accounts are targeted by failed login attempts from a single source IP within a 60-minute window. Rather than brute-forcing a single account, attackers often test many accounts to evade lockouts, and this pattern is captured by monitoring Snowflake LoginHistory events (IS_SUCCESS = 'NO') grouped by CLIENT_IP and counting distinct USER_NAME values. When the number of unique targets meets or exceeds the configured Threshold (default 5), an alert is raised. The rule uses a 60-minute DedupPeriodMinutes to avoid repeating alerts for the same IP within that window. It complements Snowflake.Stream.BruteForceByIp (same IP, any accounts) and Snowflake.PotentialBruteForceSuccess (brute force followed by a login). The alert context highlights the last triggering username, and the Runbook suggests steps such as checking for privileged accounts (ACCOUNTADMIN, SYSADMIN, SECURITYADMIN), querying LoginHistory for any successful login from the same IP within the window to assess impact, and verifying if the IP originates from anonymization services or provider ranges. A Snowflake login_history reference is provided for context. Tags indicate Snowflake, Credential Access, and Brute Force semantics.