Skip to content

feat(sigma): Snowflake detections (product: snowflake)#24

Merged
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0
Jul 2, 2026
Merged

feat(sigma): Snowflake detections (product: snowflake)#24
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0

Conversation

@Gerrrt

@Gerrrt Gerrrt commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Snowflake data cloud (Defense mirror)

New detections/sigma/snowflake/ platform dir mirroring the htpx Snowflake pairs — the first product: snowflake logsource. Detects over ACCOUNT_USAGE.QUERY_HISTORY (query_type / query_text).

Rule Match ATT&CK Validate with (htpx pair)
snowflake_data_unload QUERY_TYPE=UNLOAD (exfil → backend triage) T1567.002 snowflake-exfil-stage
snowflake_user_created CREATE_USER OR priv GRANT T1136.003 snowflake-rogue-user
snowflake_network_policy_change NETWORK POLICY in query text (SHOW excluded) T1562.007 snowflake-network-policy

Wires the dir into both generators: snowflake added to gen-siem.sh's NONWIN_DIRS (deploy form regenerated → 49 rules), and the ATT&CK Navigator layer regenerated (34 techniques, +T1567.002/T1136.003/T1562.007) — so both drift gates stay green.

Gate (run locally, pinned to CI)

  • sigma check --fail-on-issues … → 0 issues
  • detections/sigma/convert.sh splunk → compiles
  • detections/siem/gen-siem.sh --check → up to date
  • detections/navigator/gen-navigator.sh --check → up to date

README: new snowflake/ section, logsource note (…|jenkins|snowflake), rule count 46 → 49.

🤖 Generated with Claude Code


Generated by Claude Code

New detections/sigma/snowflake/ platform dir mirroring the htpx Snowflake
data-cloud pairs. Detects over ACCOUNT_USAGE.QUERY_HISTORY (query_type/query_text);
all three lint clean and compile to Splunk:

- snowflake_data_unload — QUERY_TYPE=UNLOAD, exfil left to backend triage (T1567.002)
- snowflake_user_created — CREATE_USER OR privileged GRANT (T1136.003)
- snowflake_network_policy_change — NETWORK POLICY in query text, SHOW excluded (T1562.007)

Wire the dir into both generators: add `snowflake` to gen-siem.sh's NONWIN_DIRS and
regenerate savedsearches.generated.conf (now 49 rules); regenerate the ATT&CK
Navigator coverage-layer.json (now 34 techniques, +T1567.002/T1136.003/T1562.007) so
both drift gates stay green. README: new snowflake/ section, logsource note, count 46→49.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
Copilot AI review requested due to automatic review settings July 2, 2026 14:22

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Introduces a new detections/sigma/snowflake/ platform directory to add initial Sigma coverage for Snowflake ACCOUNT_USAGE.QUERY_HISTORY, and wires this new platform into the SIEM and Navigator generators so existing drift/check gates remain consistent.

Changes:

  • Added 3 new Snowflake Sigma rules (product: snowflake, service: audit) for UNLOAD activity, privileged user/role changes, and network policy tampering.
  • Updated the SIEM generation pipeline to include snowflake as a non-Windows platform dir and regenerated Splunk saved searches.
  • Regenerated the ATT&CK Navigator coverage layer and updated the detections README counts/sectioning.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
detections/sigma/snowflake/snowflake_user_created.yml New Snowflake Sigma rule for CREATE_USER / privileged GRANT activity.
detections/sigma/snowflake/snowflake_network_policy_change.yml New Snowflake Sigma rule for network policy tampering via query text inspection.
detections/sigma/snowflake/snowflake_data_unload.yml New Snowflake Sigma rule surfacing QUERY_TYPE=UNLOAD events.
detections/siem/splunk/savedsearches.generated.conf Regenerated Splunk saved searches to include the new Snowflake rules.
detections/siem/gen-siem.sh Adds snowflake to NONWIN_DIRS so the generator includes the new platform.
detections/README.md Updates rule/document counts and adds a new Snowflake section describing fields and rules.
detections/navigator/coverage-layer.json Regenerated Navigator layer to include the new techniques/rules.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread detections/sigma/snowflake/snowflake_network_policy_change.yml Outdated
… (review)

The rule matched only the spaced token `NETWORK POLICY` (CREATE/ALTER/DROP), missing
the underscore parameter form in `ALTER ACCOUNT/USER SET NETWORK_POLICY = ...` — which
the description (and the red pair) call out. Match both forms. Regenerated the Splunk
deploy form; sigma check + convert + both drift gates green.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
@Gerrrt Gerrrt merged commit 148a7ce into main Jul 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants