Detection rules › Panther
Snowflake Brute Force Attacks by User
Detect brute force attacks by monitorign failed logins from the same IP address
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110 Brute Force |
Rule body yaml
AnalysisType: rule
Filename: snowflake_stream_brute_force_by_username.py
RuleID: "Snowflake.Stream.BruteForceByUsername"
DisplayName: Snowflake Brute Force Attacks by User
Enabled: true
LogTypes:
- Snowflake.LoginHistory
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0006:T1110
Description: Detect brute force attacks by monitorign failed logins from the same
IP address
DedupPeriodMinutes: 60
Threshold: 5
Tags:
- Snowflake
- '[MITRE] Credential Access'
- '[MITRE] Brute Force'
Tests:
- Name: Successful Login
ExpectedResult: false
Log:
{
"p_event_time": "2024-10-08 14:38:46.061000000",
"p_log_type": "Snowflake.LoginHistory",
"p_source_label": "Snowflake Prod",
"CLIENT_IP": "1.1.1.1",
"EVENT_ID": "393754014361778",
"EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000",
"EVENT_TYPE": "LOGIN",
"FIRST_AUTHENTICATION_FACTOR": "PASSWORD",
"IS_SUCCESS": "YES",
"RELATED_EVENT_ID": "0",
"REPORTED_CLIENT_TYPE": "OTHER",
"REPORTED_CLIENT_VERSION": "1.11.1",
"USER_NAME": "ckent@dailyplanet.org"
}
- Name: Unsuccessful Login
ExpectedResult: true
Log:
{
"p_event_time": "2024-10-08 14:38:46.061000000",
"p_log_type": "Snowflake.LoginHistory",
"p_source_label": "Snowflake Prod",
"CLIENT_IP": "1.2.3.4",
"EVENT_ID": "393754014361778",
"EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000",
"EVENT_TYPE": "LOGIN",
"FIRST_AUTHENTICATION_FACTOR": "PASSWORD",
"IS_SUCCESS": "NO",
"RELATED_EVENT_ID": "0",
"REPORTED_CLIENT_TYPE": "OTHER",
"REPORTED_CLIENT_VERSION": "1.11.1",
"USER_NAME": "luthor@lexcorp.com"
}
- Name: Unsuccessful Login due to Invalid JWT Fingerprint
ExpectedResult: true
Log:
{
"p_event_time": "2024-10-08 14:38:46.061000000",
"p_log_type": "Snowflake.LoginHistory",
"p_source_label": "Snowflake Prod",
"CLIENT_IP": "1.2.3.4",
"ERROR_CODE": 394304,
"ERROR_MESSAGE": "JWT_TOKEN_INVALID_PUBLIC_KEY_FINGERPRINT_MISMATCH",
"EVENT_ID": "393754014361778",
"EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000",
"EVENT_TYPE": "LOGIN",
"FIRST_AUTHENTICATION_FACTOR": "PASSWORD",
"IS_SUCCESS": "NO",
"RELATED_EVENT_ID": "0",
"REPORTED_CLIENT_TYPE": "OTHER",
"REPORTED_CLIENT_VERSION": "1.11.1",
"USER_NAME": "luthor@lexcorp.com"
}
- Name: Overflow Failure
ExpectedResult: false
Log:
{
"p_event_time": "2024-11-15 00:12:24.288000000",
"p_log_type": "Snowflake.LoginHistory",
"p_parse_time": "2024-11-15 02:46:25.862374468",
"CLIENT_IP": "0.0.0.0",
"ERROR_CODE": 390156,
"ERROR_MESSAGE": "OVERFLOW_FAILURE_EVENTS_ELIDED",
"EVENT_ID": "16592193114297018",
"EVENT_TIMESTAMP": "2024-11-15 00:12:24.288000000",
"EVENT_TYPE": "LOGIN",
"IS_SUCCESS": "NO",
"RELATED_EVENT_ID": "0",
"REPORTED_CLIENT_TYPE": "OTHER",
"REPORTED_CLIENT_VERSION": "0",
"USER_NAME": "luthor@lexcorp.com"
}
Detection logic
Condition
EVENT_TYPE eq "LOGIN"
IS_SUCCESS eq "NO"
ERROR_MESSAGE ne "OVERFLOW_FAILURE_EVENTS_ELIDED"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ERROR_MESSAGE | ne |
|
EVENT_TYPE | eq |
|
IS_SUCCESS | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
USER_NAME |