This detection rule identifies potential brute force attacks targeting Snowflake accounts by monitoring failed login attempts from the same IP address. It analyzes Snowflake's login history records, specifically looking for instances where a user fails to log in more than a defined threshold of times (in this case, 5) within a specified time period (60 minutes). The rule is particularly useful in detecting attacks that exploit a user’s credentials and could aid in the prevention of unauthorized access to the Snowflake environment. The successful deployment of this rule requires Snowflake login history logs as the source of data. It aligns with MITRE ATT&CK tactic TA0006: Credential Access, specifically technique T1110: Brute Force.