The "Snowflake User Alter" detection rule is designed to identify modifications to user accounts within the Snowflake data platform. This rule leverages the Snowflake query history to monitor for specific 'ALTER USER' commands executed within the last two hours. By querying the `snowflake.account_usage.query_history` table, the rule looks for any event signatures that match the `alter_user` command with case-insensitive checks. This ability to change user properties or session parameters can be executed by administrators or individual users, potentially leading to unauthorized account manipulation, privilege escalation, or other malicious configurations. The detection focuses on ensuring that any legitimate administrative actions are tracked, while also identifying suspicious modifications that may indicate a compromise. Covered techniques include persistence via valid accounts and account manipulation, as well as potential privilege escalation.