Snowflake external access occurred
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an external access event occurs in your Snowflake environment.
Strategy
This rule allows you to detect when a new external access event occurs in Snowflake. Review any suspicious entries of external access performed by procedure or user-defined function (UDF) handler code within the last 365 days through the External Access History table. Unexpected use of external access for your environment is a potential indicator of compromise.
Triage and response
- Inspect the logs to identify the source cloud, source region, target cloud, target region, and query ID.
- Investigate whether the source and target cloud locations are expected.
- Using the query ID, correlate the behavior with Query History logs to determine the user, query, and other useful information.
- If there are signs of compromise, disable the user associated with the external access integration and rotate credentials.