This detection rule focuses on identifying potential data destruction events by monitoring for specific SQL queries within Snowflake, a cloud-based data warehousing platform. The rule targets the execution of the 'DROP TABLE' command, which is a destructive action that can lead to significant data loss if executed by unauthorized users or malicious actors. Utilizing query history logs from Snowflake's account usage schema, the rule checks for any instances of 'DROP TABLE' commands executed within the last two hours. The association with the threat actor group UNC5537 raises concerns around the motivations for such actions within an environment. Additionally, the usage of the term 'rapeflake' suggests a potential connection to a known threat or exploitation method relevant to Snowflake environments. The structured approach of tapping into detailed application logs ensures that any occurrence of this query can be flagged for further investigation, thereby aiding in the safeguarding of data integrity.