What Changed
The “Snowflake Multiple Failed Queries” detection rule was updated to include an additional filter requiring the presence of QueryExecutionStatus field before evaluating query failures.
Detection Logic
The enhanced rule now includes “| where isnotempty(QueryExecutionStatus)” as the first filter, ensuring only events with execution status information are processed for failure analysis. The rule continues to monitor for more than 50 failed queries per user within 5-minute bins where QueryExecutionStatus does not equal SUCCESS.
Security Impact (Visibility & Fidelity)
Previously, the detection triggered false positives on SnowflakeLoad and other activity event types that lacked QueryExecutionStatus fields. These events would satisfy the “not SUCCESS” condition despite not being actual query execution failures.
The fix ensures detection fidelity by:
- Eliminating false alerts from data loading operations
- Focusing monitoring on actual query execution events
- Maintaining coverage of legitimate failed query patterns (brute force, credential stuffing, reconnaissance)
Organizations using this detection will see reduced alert noise while preserving visibility into suspicious query failure patterns that may indicate compromise or unauthorized access attempts.
Affected Files
Solutions/Snowflake/Analytic Rules/SnowflakeMultipleFailedQueries.yaml
(packaging artefacts: 3.0.9.zip, ReleaseNotes.md, mainTemplate.json)