Solutions/Snowflake/Hunting Queries/SnowflakeFailedLogins.yaml (25 lines of code) (raw):
id: b4a062d1-c95b-4b55-b984-a7efbc2e3a0f
name: Snowflake - Failed logins
description: |
'Query searches for failed logins.'
severity: Medium
requiredDataConnectors:
- connectorId: Snowflake
dataTypes:
- Snowflake
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
Snowflake
| where TimeGenerated > ago(24h)
| where EventType =~ 'LOGIN'
| where IS_SUCCESS_s =~ 'No'
| summarize count() by TargetUsername
| extend AccountCustomEntity = TargetUsername
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity