Solutions/Snowflake/Hunting Queries/SnowflakeUnknownQueryType.yaml (24 lines of code) (raw):
id: 98f57314-b6d3-4f3a-8e10-c691d8c946d5
name: Snowflake - Unknown query type
description: |
'Query searches for queries of type UNKNOWN.'
severity: Medium
requiredDataConnectors:
- connectorId: Snowflake
dataTypes:
- Snowflake
tactics:
- Impact
relevantTechniques:
- T1499
query: |
Snowflake
| where TimeGenerated > ago(24h)
| where QUERY_TYPE_s =~ 'UNKNOWN'
| summarize by QUERY_TEXT_s, TargetUsername
| extend AccountCustomEntity = TargetUsername
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity