Snowflake abnormal usage of OAuth access token
Goal
Detect abnormal OAuth access token usage in your Snowflake environment.
Strategy
This rule allows you to detect when an account authenticates with an OAuth access token outside an automated service/driver.
OAuth access tokens act like digital keys that grant access to protected resources.
If an attacker compromises a user account, they might steal the associated access token.
By reviewing access token usage during an incident, you can identify unusual activity patterns. This could involve:
- Access tokens being used from unexpected locations (attacker’s IP address).
- Access tokens being used to access unauthorized resources.
- A sudden spike in access token usage.
Triage and response
- Inspect the logs to see if the IP address is aligned with expected user or service account behavior.
- If the IP address has not been seen before and is followed by query activity, investigate the actions taken.
- If the account was compromised, recreate the access token.
