Snowflake red-team iter-8 — surface analytical depth in the deliverable, close detection-rule structural gaps#51
Merged
Conversation
…le, close detection-rule structural gaps Iter-7 audit found that the analytical layer (docs/analysis, detection/snowflake) consistently outran the HTML deliverable a client actually reads, and that three Sigma rules carried structural matching defects that would either over-fire or never fire. This iteration closes both gaps end-to-end. Deliverable layer (reports/snowflake-platform-assessment/): - New healthcare-overlay.html surfacing HIPAA control mapping, MFA-boundary clarity, per-chain PHI impact, OCR retention, and engagement-runbook items. The analytical companion existed in docs/analysis/ but was invisible to readers landing on the HTML report. - New incident-response.html with detect→contain→remediate→validate per chain (A, B, C, D, F, G, I, J), real Snowflake containment SQL (ALTER USER … SET DISABLED, ALTER SHARE … REMOVE ACCOUNTS, RSA_PUBLIC_KEY clearing, PAT revocation), forensic-capture templates, and cross-cutting hygiene rules. - Residual-risk profile table on attack-chains.html (Default residual vs. Post-P0 residual per chain), naming the structural surface that remains after each chain's P0 fix is applied. - Detection-coverage matrix (chain × maturity tier) on detection.html, with rule counts corrected to 34 total / 4 production_ready / 20 requires_enrichment / 4 requires_correlation / 5 requires_cortex_sidecar / 1 requires_endpoint_telemetry. - CVE-inventory page: every high/medium-severity row now carries Affected / Trigger / Artifact / Detection applicability fields lifted from the per-CVE matrix doc; previously the page was a CVE list without the operational columns. - Remediation timeline (30/60/90/180-day phasing) on recommendations.html with effort estimates and a "why this window" column. - Per-page TOC + anchor IDs on all nine HTML pages. New .page-toc CSS rule uses the two-column layout. Detection-rule fixes (the structural defects iter-7 named): - New bulk_exfil_baseline_trail.yml (Chain A Trail-side pair) — the detection README claimed every chain had both ACCOUNT_USAGE and Trail rules; Chain A's Trail variant was previously the streaming-ingest sidecar, not a rule. Now a proper rule consuming query.snowflake.completed with the same four-signal contract as the ACCOUNT_USAGE rule. - native_app_privilege_bump.yml, native_app_privilege_bump_trail.yml, native_app_unexpected_version_bump.yml switched from `|contains: 'PRIVILEGE:'` (substring match, FP risk) to `|startswith: 'PRIVILEGE:'` (binds to the structural-token contract emitted by the application_history projection). - udf_with_eai_invocation.yml now keys on an explicit `udf_has_eai: true` boolean rather than `udf_eai_list|exists: true` — the latter would pass on an empty list `[]` and fire on UDFs that declare no EAIs. - ENRICHMENT.md §3 expanded with per-SIEM watermark-computation recipes (Sentinel KQL, Splunk SPL, Elastic), fallback modes, and a synthetic-event validation step. Previously the watermark fields were named but uncomputed; federated_login_anomaly.yml would silently never fire in a SIEM without the watermark pipeline. Cross-references kept consistent: - chain-reference-table.md updated with Chain A's new Trail rule UUID and the residual-risk profile table. - detection/snowflake/README.md rule-count tier table reflects the new rule (34 total, 20 requires_enrichment). - All nine report pages share the identical nav block; CI report-integrity check passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Iter-7 self-audit found that the analytical depth (
docs/analysis/,detection/snowflake/) consistently outran what reached the client-facing HTML report, and that three Sigma rules carried structural matching defects (over-firing or never-firing). This iteration closes both gaps end-to-end across 13 prioritized audit items.Deliverable layer (
reports/snowflake-platform-assessment/)healthcare-overlay.html— HIPAA control mapping, MFA-boundary clarity (human vs. service), per-chain PHI impact map, OCR retention, engagement runbook. Surfaces the analytical companion atdocs/analysis/snowflake-healthcare-overlay-2026.md.incident-response.html— detect to contain to remediate to validate per chain (A, B, C, D, F, G, I, J), with real Snowflake containment SQL (ALTER USER … SET DISABLED,ALTER SHARE … REMOVE ACCOUNTS,RSA_PUBLIC_KEYclearing, PAT revocation), forensic-capture templates.attack-chains.html— new "Residual-risk profile" table (Default residual vs. Post-P0 residual per chain).detection.html— new chain x maturity-tier coverage matrix; rule counts corrected (34 total: 4production_ready, 20requires_enrichment, 4requires_correlation, 5requires_cortex_sidecar, 1requires_endpoint_telemetry).cve-inventory.html— every high/medium CVE row now carries Affected / Trigger / Artifact / Detection applicability fields lifted from the per-CVE matrix doc.recommendations.html— new 30/60/90/180-day remediation timeline with effort estimates and "why this window" rationale..page-tocCSS rule, two-column layout).Detection-rule fixes
bulk_exfil_baseline_trail.yml— Chain A's missing Trail pair (the README's "every chain has both ACCOUNT_USAGE and Trail rules" claim was previously overstated for Chain A).native_app_privilege_bump.yml,native_app_privilege_bump_trail.yml,native_app_unexpected_version_bump.yml— switched|containsto|startswithto bind to the structural-token contract emitted byapplication_historyprojections (PRIVILEGE:<name>,EXTERNAL ACCESS INTEGRATION:<name>, etc.). Mock atinfra/lab/mock-snowflake/app.py:1019confirms the structured-token shape.udf_with_eai_invocation.yml— switched to explicitudf_has_eai: trueboolean. Previousudf_eai_list|exists: truewould pass on an empty list and fire on UDFs that declare no EAIs.ENRICHMENT.mdsection 3 — per-SIEM watermark-computation recipes (Sentinel KQL, Splunk SPL, Elastic) + fallback modes + synthetic-event validation step. Closes the silent-never-fire risk onfederated_login_anomaly.yml.Cross-references
chain-reference-table.mdcarries the new Trail rule UUID and the residual-risk profile table.detection/snowflake/README.mdrule-count tier table reflects the new total (34 / 20).check_snowflake_report_integrity.pypasses.Test plan
python3 ci/check_snowflake_report_integrity.py— passes (9 pages, nav parity + internal links)python3 ci/check_snowflake_tools_syntax.py— passes (24 modules)python3 -m http.server 8080fromreports/snowflake-platform-assessment/) and verify: nav highlights the active page, TOC anchors scroll to the right section, all internal links resolvehealthcare-overlay.htmlandincident-response.htmlfor visual consistency with the existing report styleGenerated with Claude Code