This detection rule monitors the activity of copying a Snowflake table into a stage, which might indicate potential data exfiltration. When a table is copied into a stage, it is often a precursor to further data transfers that could lead to unauthorized access or theft. The rule is triggered specifically by querying the Snowflake query history for the 'COPY INTO' command directed towards a stage, which is a temporary storage location within Snowflake for data files. The rule is designed with an information severity level, indicating the need for monitoring rather than immediate action, unless in the context of broader suspicious activity. Related MITRE ATT&CK tactics are tied to exfiltration techniques, highlighting the potential risks involved with such data movements. The testing setup includes scenarios to confirm awareness of successful copying activities, establishing a benchmark for expected outcomes.