feat(sigma): Snowflake detections (product: snowflake)#24
Merged
Conversation
New detections/sigma/snowflake/ platform dir mirroring the htpx Snowflake data-cloud pairs. Detects over ACCOUNT_USAGE.QUERY_HISTORY (query_type/query_text); all three lint clean and compile to Splunk: - snowflake_data_unload — QUERY_TYPE=UNLOAD, exfil left to backend triage (T1567.002) - snowflake_user_created — CREATE_USER OR privileged GRANT (T1136.003) - snowflake_network_policy_change — NETWORK POLICY in query text, SHOW excluded (T1562.007) Wire the dir into both generators: add `snowflake` to gen-siem.sh's NONWIN_DIRS and regenerate savedsearches.generated.conf (now 49 rules); regenerate the ATT&CK Navigator coverage-layer.json (now 34 techniques, +T1567.002/T1136.003/T1562.007) so both drift gates stay green. README: new snowflake/ section, logsource note, count 46→49. Co-Authored-By: Claude <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
There was a problem hiding this comment.
Pull request overview
Introduces a new detections/sigma/snowflake/ platform directory to add initial Sigma coverage for Snowflake ACCOUNT_USAGE.QUERY_HISTORY, and wires this new platform into the SIEM and Navigator generators so existing drift/check gates remain consistent.
Changes:
- Added 3 new Snowflake Sigma rules (
product: snowflake,service: audit) for UNLOAD activity, privileged user/role changes, and network policy tampering. - Updated the SIEM generation pipeline to include
snowflakeas a non-Windows platform dir and regenerated Splunk saved searches. - Regenerated the ATT&CK Navigator coverage layer and updated the detections README counts/sectioning.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| detections/sigma/snowflake/snowflake_user_created.yml | New Snowflake Sigma rule for CREATE_USER / privileged GRANT activity. |
| detections/sigma/snowflake/snowflake_network_policy_change.yml | New Snowflake Sigma rule for network policy tampering via query text inspection. |
| detections/sigma/snowflake/snowflake_data_unload.yml | New Snowflake Sigma rule surfacing QUERY_TYPE=UNLOAD events. |
| detections/siem/splunk/savedsearches.generated.conf | Regenerated Splunk saved searches to include the new Snowflake rules. |
| detections/siem/gen-siem.sh | Adds snowflake to NONWIN_DIRS so the generator includes the new platform. |
| detections/README.md | Updates rule/document counts and adds a new Snowflake section describing fields and rules. |
| detections/navigator/coverage-layer.json | Regenerated Navigator layer to include the new techniques/rules. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… (review) The rule matched only the spaced token `NETWORK POLICY` (CREATE/ALTER/DROP), missing the underscore parameter form in `ALTER ACCOUNT/USER SET NETWORK_POLICY = ...` — which the description (and the red pair) call out. Match both forms. Regenerated the Splunk deploy form; sigma check + convert + both drift gates green. Co-Authored-By: Claude <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Snowflake data cloud (Defense mirror)
New
detections/sigma/snowflake/platform dir mirroring the htpx Snowflake pairs — the firstproduct: snowflakelogsource. Detects overACCOUNT_USAGE.QUERY_HISTORY(query_type/query_text).snowflake_data_unloadQUERY_TYPE=UNLOAD(exfil → backend triage)snowflake_user_createdCREATE_USEROR privGRANTsnowflake_network_policy_changeNETWORK POLICYin query text (SHOW excluded)Wires the dir into both generators:
snowflakeadded togen-siem.sh'sNONWIN_DIRS(deploy form regenerated → 49 rules), and the ATT&CK Navigator layer regenerated (34 techniques, +T1567.002/T1136.003/T1562.007) — so both drift gates stay green.Gate (run locally, pinned to CI)
sigma check --fail-on-issues …→ 0 issuesdetections/sigma/convert.sh splunk→ compilesdetections/siem/gen-siem.sh --check→ up to datedetections/navigator/gen-navigator.sh --check→ up to dateREADME: new
snowflake/section, logsource note (…|jenkins|snowflake), rule count 46 → 49.🤖 Generated with Claude Code
Generated by Claude Code