Snowflake red-team iter-5 — healthcare overlay, detection honesty pass, Chains K/L/M

[AndrewAltimit]

Summary

Fifth iteration on the Snowflake platform red-team work, driven by a self-audit of iter-1 through iter-4. The audit flagged: no healthcare context in any artifact, several Sigma rules quietly using derived fields they didn't document, weak detection logic on the bulk-exfil + federated-login baselines, missing surface area (Polaris/Iceberg, OAuth scope drift, UDF EAI breakout, SPCS image supply chain), and ~150 lines of duplicated boilerplate across the offensive tools.

What's in this PR

Healthcare overlay

• docs/analysis/snowflake-healthcare-overlay-2026.md — per-chain PHI exposure map, HIPAA controls each chain challenges, BAA considerations for Cortex/Native Apps, OCR audit-retention sufficiency analysis.

Detection honesty pass

• detection/snowflake/ENRICHMENT.md — canonical inventory of every derived field across the rule set with native source, computation, input-data location, and a deployment checklist.
• enrichment: block added to every Sigma rule (~24 files including Trail variants), explicit sidecar_required: true on Cortex rules whose cortex_agent_history / cortex_search_audit log sources are not native ACCOUNT_USAGE views.

Detection logic fixes

• bulk_exfil_baseline.yml: rewritten from volume-only to role-baseline + per-role p90 volume + off-hours signals (won't misfire on quarter-close).
• federated_login_anomaly.yml: lag-tolerant with Snowflake/Okta/Entra latency profile and both-sources-caught-up gate.

New chains

• Chain K — Polaris / Iceberg catalog abuse (iceberg_catalog_pivot.py + iceberg_table_outside_catalog_base.yml)
• Chain L — External OAuth scope drift (oauth_scope_audit.py + oauth_integration_scope_drift.yml)
• Chain M — UDF EAI breakout (udf_eai_egress.py + udf_with_eai_invocation.yml)
• SPCS base-image supply chain (Chain H extension): spcs_base_image_probe.py + spcs_image_unpinned_or_external.yml

Deepening existing chains

• Chain I (Cortex): mode_corpus.py externalises payloads; new modes semantic_inject / authority_spoof / multi_turn_setup / multi_turn_payoff / search_rank_hijack; new behavioural rule cortex_agent_followup_without_user_intent.yml that fires without a CALL_TOOL: token; full lab-validation/ directory with trace + search audit + MCP poisoning SQL.
• Chain C (Native App): naaaps_bypass_probe.py with a 10-payload corpus across the four documented NAAAPS threat categories; v2-dep + v3-loader manifests for the deferred-loader timeline; --variant multi-stage simulator mode; native_app_dependency_drift.yml.

Pipeline + infra hardening

• Streaming-ingest: Function timeout aligned with poll cadence (4 min / 60 s), host.json singleton block prevents auto-recovery race, cursor writes through fcntl.flock + atomic rename, README replaces "~90 s end-to-end" with a per-stage measurement methodology.
• tools/lib/snowflake_mock_client.py — shared client helpers (login_with_pat, run_sql, read_query_history, get, post); 5 pivot tools refactored.

Indexes refreshed

• CLAUDE.md, root README.md, detection/snowflake/README.md, both tool READMEs.
• docs/analysis/snowflake-platform-attack-surface-2026.md extended with chains K/L/M + SPCS image.
• HTML report (attack-chains.html, detection.html, index.html) updated.

Test plan

• python3 ci/check_snowflake_report_integrity.py passes — nav parity + internal links across all 7 report pages.
• python3 ci/check_snowflake_tools_syntax.py passes — 22 module syntax check.
• python3 ci/check_mock_services_loopback.py passes — 8 server / 8 file loopback check.
• All refactored and new Python tools compile cleanly.
• Reviewer: skim detection/snowflake/ENRICHMENT.md for any derived field whose computation feels unrealistic for a customer's ingestion pipeline.
• Reviewer: read the healthcare overlay end-to-end and flag any HIPAA citation that needs sharpening.
• Reviewer: confirm the four new chains (K/L/M + SPCS image) cohere with the existing A-J narrative.

Generated with Claude Code