Azure Databricks
Workspace Token (PAT)
Service Name: Azure Databricks
Service Description: Azure Databricks is a data analytics platform optimized for the Microsoft Azure cloud services platform. It provides a collaborative environment for data engineering, data science, and machine learning with Apache Spark integration.
Service Address: https://databricks.com/product/azure
Validation Type: API Auth
IP Allow list: IP access controls can be configured at the Azure Databricks workspace level through Azure Network Security Groups and Private Link.
Secret Access Scope: Grants programmatic access to Azure Databricks workspaces, allowing users to interact with notebooks, jobs, clusters, and data.
Secret Revokement URL: https://docs.databricks.com/dev-tools/auth.html#token-management
Secret Example: dapi0123456789abcdef0123456789abcdef
Suspicious Activity Investigation Instructions:
- Review the Databricks audit logs for unusual API calls or resource access
- Check for unauthorized notebook executions or job runs
- Monitor for unusual cluster creation or configuration changes
- Examine data access patterns for potential data exfiltration
- Review user permissions and access controls within the workspace
Mitigation Instructions:
- Immediately revoke the compromised token through the Databricks UI:
- Navigate to the user settings in your Databricks workspace
- Go to "User Settings" > "Access Tokens"
- Find the compromised token and click "Revoke"
- Alternatively, revoke via API using the Databricks REST API token management
endpoints
- Generate a new token with appropriate permissions if needed
- Review and update IP access controls for the Databricks workspace
- Implement token rotation policies to regularly cycle credentials
- Consider implementing Databricks workspace-level access controls to limit the
scope of future tokens