Snowflake user granted admin role
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect a new admin grant to a user in your Snowflake environment.
Strategy
This rule allows you to detect when a user acccount gains adminstrator privileges in Snowflake. If an attacker gains administrative access, they may grant admin-level access to a second compromised user in an attempt to fly under the radar. The following admin permissions are available: AccountAdmin, OrgAdmin, SysAdmin, and SecurityAdmin.
Triage and response
- Inspect the logs to identify the user, role granted, and timestamp.
- Investigate whether the user’s elevated permissions are expected.
- If there are signs of compromise, disable the user associated with the admin grant and rotate credentials.