Snowflake abnormal usage of OAuth access token

This rule is part of a beta feature. To learn more, contact Support.
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect abnormal OAuth access token usage in your Snowflake environment.

Strategy

This rule allows you to detect when an account authenticates with an OAuth access token outside an automated service/driver.

OAuth access tokens act like digital keys that grant access to protected resources. If an attacker compromises a user account, they might steal the associated access token.

By reviewing access token usage during an incident, you can identify unusual activity patterns. This could involve:

  • Access tokens being used from unexpected locations (attacker’s IP address).
  • Access tokens being used to access unauthorized resources.
  • A sudden spike in access token usage.

Triage and response

  1. Inspect the logs to see if the IP address is aligned with expected user or service account behavior.
  2. If the IP address has not been seen before and is followed by query activity, investigate the actions taken.
  3. If the account was compromised, recreate the access token.
PREVIEWING: may/unit-testing