wesleyhales/snowflake_ioc_6-2-24

## snowflake_ioc_6-2-24
-- Query 1: Identifying Access from Suspected IP Addresses
SELECT
    *
FROM
    snowflake.account_usage.login_history
WHERE
    client_ip IN (
        '104.223.91.28', '198.54.135.99', '184.147.100.29', '146.70.117.210',
        '198.54.130.153', '169.150.203.22', '185.156.46.163', '146.70.171.99',
        '206.217.206.108', '45.86.221.146', '193.32.126.233', '87.249.134.11',
        '66.115.189.247', '104.129.24.124', '146.70.171.112', '198.54.135.67',
        '146.70.124.216', '45.134.142.200', '206.217.205.49', '146.70.117.56',
        '169.150.201.25', '66.63.167.147', '194.230.144.126', '146.70.165.227',
        '154.47.30.137', '154.47.30.150', '96.44.191.140', '146.70.166.176',
        '198.44.136.56', '176.123.6.193', '192.252.212.60', '173.44.63.112',
        '37.19.210.34', '37.19.210.21', '185.213.155.241', '198.44.136.82',
        '93.115.0.49', '204.152.216.105', '198.44.129.82', '185.248.85.59',
        '198.54.131.152', '102.165.16.161', '185.156.46.144', '45.134.140.144',
        '198.54.135.35', '176.123.3.132', '185.248.85.14', '169.150.223.208',
        '162.33.177.32', '194.230.145.67', '5.47.87.202', '194.230.160.5',
        '194.230.147.127', '176.220.186.152', '194.230.160.237', '194.230.158.178',
        '194.230.145.76', '45.155.91.99', '194.230.158.107', '194.230.148.99',
        '194.230.144.50', '185.204.1.178', '79.127.217.44', '104.129.24.115',
        '146.70.119.24', '138.199.34.144'
    )
ORDER BY
    event_timestamp;

-- Query 2: Identifying Access from Suspected Clients
SELECT
    *
FROM
    snowflake.account_usage.sessions
WHERE
    PARSE_JSON(CLIENT_ENVIRONMENT):APPLICATION = 'rapeflake'
    OR
    (
        PARSE_JSON(CLIENT_ENVIRONMENT):APPLICATION = 'DBeaver_DBeaverUltimate'
        AND
        PARSE_JSON(CLIENT_ENVIRONMENT):OS = 'Windows Server 2022'
    )
ORDER BY CREATED_ON;
	-- Query 1: Identifying Access from Suspected IP Addresses
	SELECT
	*
	FROM
	snowflake.account_usage.login_history
	WHERE
	client_ip IN (
	'104.223.91.28', '198.54.135.99', '184.147.100.29', '146.70.117.210',
	'198.54.130.153', '169.150.203.22', '185.156.46.163', '146.70.171.99',
	'206.217.206.108', '45.86.221.146', '193.32.126.233', '87.249.134.11',
	'66.115.189.247', '104.129.24.124', '146.70.171.112', '198.54.135.67',
	'146.70.124.216', '45.134.142.200', '206.217.205.49', '146.70.117.56',
	'169.150.201.25', '66.63.167.147', '194.230.144.126', '146.70.165.227',
	'154.47.30.137', '154.47.30.150', '96.44.191.140', '146.70.166.176',
	'198.44.136.56', '176.123.6.193', '192.252.212.60', '173.44.63.112',
	'37.19.210.34', '37.19.210.21', '185.213.155.241', '198.44.136.82',
	'93.115.0.49', '204.152.216.105', '198.44.129.82', '185.248.85.59',
	'198.54.131.152', '102.165.16.161', '185.156.46.144', '45.134.140.144',
	'198.54.135.35', '176.123.3.132', '185.248.85.14', '169.150.223.208',
	'162.33.177.32', '194.230.145.67', '5.47.87.202', '194.230.160.5',
	'194.230.147.127', '176.220.186.152', '194.230.160.237', '194.230.158.178',
	'194.230.145.76', '45.155.91.99', '194.230.158.107', '194.230.148.99',
	'194.230.144.50', '185.204.1.178', '79.127.217.44', '104.129.24.115',
	'146.70.119.24', '138.199.34.144'
	)
	ORDER BY
	event_timestamp;

	-- Query 2: Identifying Access from Suspected Clients
	SELECT
	*
	FROM
	snowflake.account_usage.sessions
	WHERE
	PARSE_JSON(CLIENT_ENVIRONMENT):APPLICATION = 'rapeflake'
	OR
	(
	PARSE_JSON(CLIENT_ENVIRONMENT):APPLICATION = 'DBeaver_DBeaverUltimate'
	AND
	PARSE_JSON(CLIENT_ENVIRONMENT):OS = 'Windows Server 2022'
	)
	ORDER BY CREATED_ON;