Snowflake network policy modified

This rule is part of a beta feature. To learn more, contact Support.
snowflake

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect a network policy was created, modified, or deleted in your Snowflake environment.

Strategy

This rule allows you to detect when a network policy was altered.

Triage and response

  1. Inspect the logs to identify the user that ran the query.
  2. Investigate whether that user is an admin by refernecing the Grants to User table in Snowflake.
  3. If the user is not an admin or has only recently been assigned admin, investigate for signs of compromise.
  4. Otherwise, review internal change management to validate this was an expected change.